[13139] in bugtraq
Re: majordomo local exploit
daemon@ATHENA.MIT.EDU (Taneli Huuskonen)
Wed Dec 29 21:53:42 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <199912291530.RAA27325@sirppi.helsinki.fi>
Date: Wed, 29 Dec 1999 17:30:15 +0200
Reply-To: Taneli Huuskonen <huuskone@CC.HELSINKI.FI>
From: Taneli Huuskonen <huuskone@CC.HELSINKI.FI>
X-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199912290703.AAA05209@xerxes.courtesan.com> from "Todd C.
Miller" at "Dec 29, 1999 00:03:01 am"
-----BEGIN PGP SIGNED MESSAGE-----
"Todd C. Miller" <Todd.Miller@COURTESAN.COM> wrote:
> For those using perl 5.x, you can use sysopen() instead of the "magic"
> perl open() to fix this.
I'm afraid that wouldn't help much, as you can supply any pathname as
the -C (configuration file) argument:
/path/to/majordomo/wrapper resend -l foobar -C /tmp/evilhack.pl
I tested this with version 1.94.1, but the same behaviour seems to be
there in 1.94.4, as far as I can tell by the source.
Taneli Huuskonen
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQB1AwUBOGoorAUw3ir1nvhZAQF31gL9HRxD8LOVsilgTuj5iRRTHdhI0cGS7AF/
cBzVkofDCcu4UamxZj7weOqK//EbHPjEuFE7ABW4sb4CHXigA0rVuc/B2QKntX7A
UmceOIjDSU8iVj5FqFkbo9u3uysC8ngl
=Iy7+
-----END PGP SIGNATURE-----
--
I don't | All messages will be PGP signed, | Fight for your right to
speak for | encrypted mail preferred. Keys: | use sealed envelopes.
the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
