[MLB-WIRELESS] Mailing list security

Tyson Clugg tyson at wireless.org.au
Wed Mar 12 04:16:11 EST 2003


Dear all,

As described in http://www.securiteam.com/unixfocus/5RP011F95S.html:
"A security vulnerability [in] Majordomo, a PERL script for managing mailing
lists, allows remote attackers and Spammers to query a mailing list for its
complete address list."

Melbourne Wireless uses Majordomo, and indeed the Majordomo daemon running
on wireless.org.au suffered from this vulnerability.  Mailing lists that
were vulnerable on the wireless.org.au server include:
 * melbwireless
 * nzlist
 * rgcentral
 * wginquiry
 * wgipv6
 * wgmeetings
 * wgnewsletter
 * wgprivacysecurity
 * wgpropaganda
 * wgpublicrelations
 * wgrouting
 * wgsolar

It is unknown how long the mailing lists have been vulnerable, but it is
possible that the mailing lists have been vulnerable to information leakage
since their creation.  However, it is unlikely that spammers have sourced
any email addresses from the wireless.org.au Majordomo daemon.

Examining the Majordomo log files on the wireless.org.au server reveals that
the vulnerable query command has been used by exactly seven people since
November 12th last year (the earliest recorded date in the logfiles).  One
of those people was myself, and another person was Peter Mitchell who kindly
notified us of this vulnerability.  The remianing five people were users
with legitimate (non-exploitive) requests.

I am confident that the issue has been resolved, and that no email address
has been disclosed to spammers as a result of the vulnerability.  I
understand that many of you will have serious concerns regarding the
potential unintended disclosure of your email details.  If you have any
queries then please contact the Melbourne Wireless committee via email at
committee at wireless.org.au and we will endeavour to answer your queries.

Many thanks go to Peter Mitchell for drawing our attention to the
vulnerability.

Sincerely yours,
Tyson Clugg
President, Melbourne Wireless Inc.


To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message



More information about the Melbwireless mailing list