what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Feb 4, 2003
Authored by Marco van Berkum, Jakub Klausa

Majordomo, the popular mailing list utility, defaults which_access to open in the configuration file. A list of email accounts for a mailing list can be compromised by this de-facto setting by sending which @. Patch included.

tags | exploit
SHA-256 | 8efeb015e6583cfd9603c53d758fcd752e89c4d7096f788f8d997d1a1b2f0abe


Change Mirror Download
Title : Majordomo info leakage (all versions)
Date : 03/02/2003
Article by : Marco van Berkum (m.v.berkum@obit.nl)
Bug finder : Jakub Klausa (jacke@bofh.pl)
Investigated by : Jakub Klausa and Marco van Berkum

Some while ago Jakub Klausa mailed me about a problem regarding the
Majordomo mailinglist program. At first we were not sure if it was a one
time problem or a common issue, so we checked several other servers
and installed Majordomo ourselves and found ALL Majordomo versions to
be vulnerable, also the latest Majordomo 2 (alpha).

The problem:
All email addresses can be extracted from mailinglists for which
'which_access' is set to "open" in the configuration file, which_access
is set to "open" by default !!

Majordomo 1.94.5 documentation quote:

"8. By default, anyone (even non-subscribers) can use the commands
"who", "which", "index", and "get" on a list. If you create an
empty file named "listname.private" in the $listdir directory, only
members of the list can use those commands."

Typical case of RTFDOC of course, but still, why isn't the private
configuration file the default one (?!), now people actually have to read
the documentation to protect their lists against evil spammers. We all
know that admins do not always read the docs (uhuh).

So this bug can be exploited without being subscribed to any mailinglist
on that server when "which_access" is set to open. This bug can be exploited
by sending:

which @


which .

To the Majordomo daemon. Majordomo will then match "@" (or ".") on all the
mailinglists that have 'which_access' set to "open". This then matches
all email addresses that are subscribed to that list.

There is a slight difference between the new Majordomo 2 (alpha) and the
current Majordomo 1.94.x branch.

Majordomo 1.94.x gives output such as this:

>>>> which @
The string '@' appears in the following
entries in lists served by majordomo@somedomain.com:

List Address
==== =======
test-list user@somedomain.com
test-list anotheruser@anotherdomain.com
another-list satan@evilmajordomodomain.net
another-list bush@sopranos.org


Majordomo 2 also has the bug, not as much as the 1.94.x though:

>>>> which @
The pattern "/\@/i"
matched the following subscriptions.

Matches for the devils mailing list:
-- Match limit of 1 for devils exceeded.

Matches for the britney mailing list:
-- Match limit of 1 for britney exceeded.

High. Not only privacy is the issue here, this bug could be used by evil
spammers to fill their databases. And the users did much of their work for
them already, as the victims are usually well targeted (subject-specific
mailinglists come to mind).

Read the documentation regarding $listname.private and set all which_access
to "closed", or update to Majordomo 2 alpha, which still requires the same attention.

Majordomo 1.94.5 and earlier:
As mentioned by the documentation that comes with Majordomo 1.94.5,
create an empty file named "$listname.private" in the $listdir.
It will only reduce the group of people being able to pick up all the addresses
to the ones subscribed to the list. Check your current configurations for
open which_access, close them.

Majordomo 2:
The authors responded quickly and changed default configuration settings
to be "closed". Get the latest CVS version, and check your current
configurations for open which_access, which_access should be closed at
any time.

Jakub made a patch for Majordomo 1.94.5.

This is a patch for Majordomo 1.94.5, which makes the Majordomo
ignore the 'which' request if they don't contain e-mail address-like
string as a parameter (roughly).

--- majordomo.orig Mon Feb 3 13:23:45 2003
+++ majordomo Mon Feb 3 13:23:23 2003
@@ -624,6 +624,11 @@

sub do_which {
local($subscriber) = join(" ", @_) || &valid_addr($reply_to);
+ if ($subscriber !~ /^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+\.[a-zA-Z]{2,3}$/) {
+ &log("which abuse -> $subscriber passed as an argument.");
+ exit(0);
+ };
local($count, $per_list_hits) = 0;
# Tell the requestor which lists they are on by reading through all
# the lists, comparing their address to each address from each list


Marco van Berkum / http://ws.obit.nl / m.v.berkum@obit.nl
Jakub Klausa / jacke@bofh.pl

find / -user your -name base -exec chown us:us {}\;
| Marco van Berkum / MB17300-RIPE |
| m.v.berkum@obit.nl / http://ws.obit.nl |
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By