[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Majordomo filenames used as passwords

Title: Majordomo filenames used as passwords
Released by: marvin
Date: 1st December 2000
Printable version: Click here
Though this is an old problem, it seems that it's not widely known.

When majordomo looks for the admin_passwd it checks the line in the lists

config file and compares it against the password supplied by the user. If

they match, the password is valid.

If it doesn't match, majordomo opens the saved password as a file and reads a

line from the file. If that line matches the user-supplied password, the

password is also valid.

In other words, if you have the password in a separate file, you have two

valid passwords.

Many tutorials for setting up majordomo say you should put the password in a

separate file named .passwd. That makes it very trivial to guess

the password.

This was reported TWICE, by two different people, in 1995. None of the posts

even got a reply. The bug has been confirmed on a live majordomo 1.94.3 and

the code looks the same for 1.94.5 (the latest).

Code is in majordomo.pl, in main'valid_passwd.


 Move passwords from separate files into configfiles.


 Change main'valid_passwd to not compare what's in the .config file if a file

by that name exists.

(C) 1999-2000 All rights reserved.