5807443 2000-12-01 14:48 +0100  /35 rader/  <marvin@NSS.NU>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-01  19:41  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: marvin@NSS.NU
Mottagare: Bugtraq (import) <14007>
Ärende: Majordomo filenames used as passwords
------------------------------------------------------------
From: marvin@NSS.NU
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <00120114482301.00478@marvin>

Though this is an old problem, it seems that it's not widely known.

When majordomo looks for the admin_passwd it checks the line in the
lists config file and compares it against the password supplied by
the user. If they match, the password is valid.

If it doesn't match, majordomo opens the saved password as a file and
reads a line from the file. If that line matches the user-supplied
password, the password is also valid.

In other words, if you have the password in a separate file, you have
two valid passwords.

Many tutorials for setting up majordomo say you should put the
password in a separate file named <listname>.passwd. That makes it
very trivial to guess the password.

This was reported TWICE, by two different people, in 1995. None of
the posts even got a reply. The bug has been confirmed on a live
majordomo 1.94.3 and the code looks the same for 1.94.5 (the latest).

Code is in majordomo.pl, in main'valid_passwd.

Workaround:
 Move passwords from separate files into configfiles.

Fix
 Change main'valid_passwd to not compare what's in the .config file
if a file by that name exists.
(5807443) --------------------------------(Ombruten)