Re: Bug in majordomo

Pete Ashdown (pashdown@XMISSION.COM)
Tue, 24 Jun 1997 11:50:47 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Michael Brennen: "WU-ftpd Upload Ownership/Permissions Bug"
Previous message: Brad Powell: "Re: Fun with devices [was: Re: /dev/tcx0 crashes SunOS 4.1.4 on Sparc"

Dustin Marquess said once upon a time:
>
>On Mon, 23 Jun 1997, The Spectre wrote:
>
>> majordomo 1.94.1 has a bug in that if you disable the "lists" command, you
>> can still get a list of all the mailing lists on the server by sending
>> "unsubscribe * <email address>" and it will just give you a bunch of
>> "failed to unsubscribe from ..." once for each list on the server.
>
> Oxymoron has a patch to fix this at
>http://www.waste.org/~oxymoron/majordomo/

A better strategy is not to disable the "lists" command (its been tried
here, and its a pain in the arse to answer all the people who legitimately
use it), but to disable more than two subscribes in one message. Without
fail, this is the indicator of some bozo subscribe-bombing a victim.
Here's the patch for 1.94.3. I'm sorry I've lost the attribution:

*** majordomo.unpatched Mon Jun 23 14:22:56 1997
--- majordomo Mon Jun 23 14:23:31 1997
***************
*** 234,239 ****
--- 234,245 ----
# Everything from here on down is subroutine definitions

sub do_subscribe {
+
+ if (! $approved && $count > 2 ) {
+ &squawk("$sm: not approved");
+ return 0;
+ }
+
# figure out what list we are trying to subscribe to
# and check to see if the list is valid
local($sm) = "subscribe";

Next message: Michael Brennen: "WU-ftpd Upload Ownership/Permissions Bug"
Previous message: Brad Powell: "Re: Fun with devices [was: Re: /dev/tcx0 crashes SunOS 4.1.4 on Sparc"