> I have discovered a vulnerablility in "majordomo" that allows local and
> remote users to execute commands with the rights of the user running the
> server.
> -- majordomo --
> foreach $i (@array) {
> $command = "(q~$reply_addr~ =~ $i)";
> $result = 1, last if (eval $command);
> }
>
> -- end majordomo --
> $reply_addr is the result of some paranoid validation. It cannot contain
> <,>,[,],-,+,(,),; etc..
> I am too tired to find a fix for this right now. Some more validation
> might help.
Although I know little of the internals of majordomo, this is a standard
validation problem just like the slew of CGI vulnerabilities that
recirculated about 6 months ago. This has probably been said a million times
before, but as these vulnerabilities seem to keep re-appearing maybe its
worth saying again.
By far the safest way of doing any sort of validation is to provide a list
of the safe characters, and not permit anything else. The perl to implement
such a scheme is remarkably simple:
$reply_addr =~ s/[^\w\.@-]//g;
This will remove all characters which are not alphanumeric, a period, an at
symbol or a hyphen. Of course, you may like to include a small piece of code
which saves insecure strings in a file somewhere, along with the sender.
Steve