Date: Tue, 25 Jan 2000 12:20:28 +0100 From: Chan Wilson <cwilson@NEU.SGI.COM> Subject: Re: majordomo 1.94.5 does not fix all vulnerabilities To: BUGTRAQ@SECURITYFOCUS.COM Brock Sides <bsides@TOWERY.COM> spaketh thusly on Mon, 24 Jan 2000 14:55:42 -0600 about majordomo 1.94.5 does not fix all vulnerabilities... > Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock > Tellier, that permits execution of arbitrary code as user majordomo, it > apparently does not fix the other bug in the script majordomo, that > permits execution of arbitrary config files as user majordomo: Correct. That is far better addressed at a o/s level by protecting the directory that the majordomo code lives in. A security note has been added to the top of the INSTALL document that attempts to highlight this matter: ** SECURITY ALERT ** The default installation of Majordomo, including the checks that config-test does, WILL NOT RESULT IN A SECURE INSTALLATION. In particular, the majordomo home directory and the "wrapper" program are, by default, accessible to any user. These open privileges can be (mis)used to change list membership, list configuration details, forge email, perhaps even create and/or delete lists, and anything else that the majordomo user has permissions to do. If Majordomo is *NOT* installed on a secured system with controlled access (and if you are paranoid, even if it is), you will need to take additional steps to prevent access to the majordomo directories. Usually, changing the privileges of the majordomo home directory to be 0750 fixes these problems, but creates the additional burden of needing to configure the MTA (sendmail, qmail, exim) properly so that it can read and execute "wrapper". Such configuration is beyond the scope of this install document, and is left to the FAQ (Doc/FAQ, Doc/majordomo-faq.html) and the support group email@example.com to answer. ** SECURITY ALERT ** While it is possible, as has been posted earlier, to patch all the code that uses the -C configuration file flag, *and* patch resend to only allow execution of code in specific directories, *and* rework code so it knows where to find the relocated code, it is far easier to simply prevent access to the majordomo directory (including access log, list configuration, membership, etc) which gives security from both execution of arbitrary code *and* information security for the distribution lists. --Chan majordomo maintainer.