[4785] in bugtraq
Re: Bug in majordomo
daemon@ATHENA.MIT.EDU (Pete Ashdown)
Tue Jun 24 21:18:14 1997
Date: Tue, 24 Jun 1997 11:50:47 -0600
Reply-To: Pete Ashdown <pashdown@XMISSION.COM>
From: Pete Ashdown <pashdown@XMISSION.COM>
X-To: jailbird@ALCATRAZ.FDF.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.970623223059.807A-100000@alcatraz.fdf.net> from
"Dustin Marquess" at Jun 23, 97 10:32:02 pm
Dustin Marquess said once upon a time:
>
>On Mon, 23 Jun 1997, The Spectre wrote:
>
>> majordomo 1.94.1 has a bug in that if you disable the "lists" command, you
>> can still get a list of all the mailing lists on the server by sending
>> "unsubscribe * <email address>" and it will just give you a bunch of
>> "failed to unsubscribe from ..." once for each list on the server.
>
> Oxymoron has a patch to fix this at
>http://www.waste.org/~oxymoron/majordomo/
A better strategy is not to disable the "lists" command (its been tried
here, and its a pain in the arse to answer all the people who legitimately
use it), but to disable more than two subscribes in one message. Without
fail, this is the indicator of some bozo subscribe-bombing a victim.
Here's the patch for 1.94.3. I'm sorry I've lost the attribution:
*** majordomo.unpatched Mon Jun 23 14:22:56 1997
--- majordomo Mon Jun 23 14:23:31 1997
***************
*** 234,239 ****
--- 234,245 ----
# Everything from here on down is subroutine definitions
sub do_subscribe {
+
+ if (! $approved && $count > 2 ) {
+ &squawk("$sm: not approved");
+ return 0;
+ }
+
# figure out what list we are trying to subscribe to
# and check to see if the list is valid
local($sm) = "subscribe";
