[5188] in bugtraq
Re: Vulnerability in Majordomo
daemon@ATHENA.MIT.EDU (Steve Hill)
Tue Aug 26 17:36:27 1997
Date: Tue, 26 Aug 1997 18:05:54 +0100
Reply-To: Steve Hill <steve_hill@VNET.IBM.COM>
From: Steve Hill <steve_hill@VNET.IBM.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.970824150942.13326A-100000@pop3.kappa.ro> from
"Razvan Dragomirescu" at Aug 24, 97 03:17:18 pm
Folks,
> I have discovered a vulnerablility in "majordomo" that allows local and
> remote users to execute commands with the rights of the user running the
> server.
> -- majordomo --
> foreach $i (@array) {
> $command = "(q~$reply_addr~ =~ $i)";
> $result = 1, last if (eval $command);
> }
>
> -- end majordomo --
> $reply_addr is the result of some paranoid validation. It cannot contain
> <,>,[,],-,+,(,),; etc..
> I am too tired to find a fix for this right now. Some more validation
> might help.
Although I know little of the internals of majordomo, this is a standard
validation problem just like the slew of CGI vulnerabilities that
recirculated about 6 months ago. This has probably been said a million times
before, but as these vulnerabilities seem to keep re-appearing maybe its
worth saying again.
By far the safest way of doing any sort of validation is to provide a list
of the safe characters, and not permit anything else. The perl to implement
such a scheme is remarkably simple:
$reply_addr =~ s/[^\w\.@-]//g;
This will remove all characters which are not alphanumeric, a period, an at
symbol or a hyphen. Of course, you may like to include a small piece of code
which saves insecure strings in a file somewhere, along with the sender.
Steve
