Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Vulnerability in Majordomo
From: steve_hill () VNET IBM COM (Steve Hill)
Date: Tue, 26 Aug 1997 18:05:54 +0100


Folks,

I have discovered a vulnerablility in "majordomo" that allows local and
remote users to execute commands with the rights of the user running the
server.

-- majordomo --
foreach $i (@array) {
                      $command = "(q~$reply_addr~ =~ $i)";
                      $result = 1, last if (eval $command);
                   }

-- end majordomo --
$reply_addr is the result of some paranoid validation. It cannot contain
<,>,[,],-,+,(,),; etc..

I am too tired to find a fix for this right now. Some more validation
might help.

Although I know little of the internals of majordomo, this is a standard
validation problem just like the slew of CGI vulnerabilities that
recirculated about 6 months ago. This has probably been said a million times
before, but as these vulnerabilities seem to keep re-appearing maybe its
worth saying again.

By far the safest way of doing any sort of validation is to provide a list
of the safe characters, and not permit anything else. The perl to implement
such a scheme is remarkably simple:

  $reply_addr =~ s/[^\w\. () -]//g;

This will remove all characters which are not alphanumeric, a period, an at
symbol or a hyphen. Of course, you may like to include a small piece of code
which saves insecure strings in a file somewhere, along with the sender.

Steve



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]