5th Feb 2003 [SBWID-5971]
COMMAND
	Majordomo info leakage (mailing list exposure), all versions
SYSTEMS AFFECTED
	ALL Majordomo versions including the latest Majordomo 2 (alpha)
PROBLEM
	Thanks to Marco van Berkum [http://ws.obit.nl] [[email protected]]  and
	Jakub Klausa [[email protected]] advisory :
	Some while ago Jakub Klausa mailed me  about  a  problem  regarding  the
	Majordomo mailinglist program. At first we were not sure  if  it  was  a
	one time problem or a common issue, so we checked several other  servers
	and installed Majordomo ourselves and found ALL  Majordomo  versions  to
	be vulnerable, also the latest Majordomo 2 (alpha).
	 The problem:
	 ---------------
	All email  addresses  can  be  extracted  from  mailinglists  for  which
	'which_access' is set to "open" in the configuration file,  which_access
	is set to "open" by default !!
	 Majordomo 1.94.5 documentation quote:
	    "8.  By default, anyone (even non-subscribers) can use the commands
	         "who", "which", "index", and "get" on a list.  If you create an
	         empty file named "listname.private" in the $listdir directory, only
	         members of the list can use those commands."
	Typical case of RTFDOC of course,  but  still,  why  isn't  the  private
	configuration file the default one (?!), now  people  actually  have  to
	read the documentation to protect their lists against evil spammers.  We
	all know that admins do not always read the docs (uhuh).
	So  this  bug  can  be  exploited  without  being  subscribed   to   any
	mailinglist on that server when "which_access" is set to open. This  bug
	can be exploited by sending:
	
	   which @
	   or
	   which .
	
	To the Majordomo daemon. Majordomo will then match "@" (or ".")  on  all
	the mailinglists that have  'which_access'  set  to  "open".  This  then
	matches all email addresses that are subscribed to that list.
	There is a slight difference between the new  Majordomo  2  (alpha)  and
	the current Majordomo 1.94.x branch.
	Majordomo 1.94.x gives output such as this:
	
	>>>> which @
	
	The string '@' appears in the  following  entries  in  lists  served  by
	[email protected]:
	
	List                    Address
	====                    =======
	test-list               [email protected]
	test-list               [email protected]
	another-list            [email protected]
	another-list            [email protected]
	
	etc...
	Majordomo 2 also has the bug, not as much as the 1.94.x though:
	
	>>>> which @
	
	The pattern "/\@/i" matched the following subscriptions.
	
	Matches for the devils mailing list:
	  [email protected]
	-- Match limit of 1 for devils exceeded.
	Matches for the britney mailing list:
	  [email protected]
	-- Match limit of 1 for britney exceeded.
	
SOLUTION
	Read  the  documentation  regarding  $listname.private   and   set   all
	which_access to "closed", or update to Majordomo 2  alpha,  which  still
	requires the same attention.
	 Majordomo 1.94.5 and earlier:
	 =============================
	As mentioned by the documentation  that  comes  with  Majordomo  1.94.5,
	create an empty file named "$listname.private" in the $listdir. It  will
	only reduce the group of people being able to pick up all the  addresses
	to the ones subscribed to the list. Check  your  current  configurations
	for open which_access, close them.
	 Majordomo 2:
	 ============
	The  authors  responded  quickly  and  changed   default   configuration
	settings to be "closed". Get the latest  CVS  version,  and  check  your
	current configurations for open  which_access,  which_access  should  be
	closed at any time.
	Jakub made a patch for Majordomo 1.94.5.
	 [Patch]
	 =======
	This is a patch for Majordomo 1.94.5, which makes the  Majordomo  ignore
	the 'which' request if they don't contain e-mail address-like string  as
	a parameter (roughly).
	
	--- majordomo.orig      Mon Feb  3 13:23:45 2003
	+++ majordomo   Mon Feb  3 13:23:23 2003
	@@ -624,6 +624,11 @@
	 sub do_which {
	     local($subscriber) = join(" ", @_) || &valid_addr($reply_to);
	+    if ($subscriber !~ /^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+\.[a-zA-Z]{2,3}$/) {
	+       
	+       &log("which abuse -> $subscriber passed as an argument.");
	+       exit(0);
	+       };
	     local($count, $per_list_hits) = 0;
	     # Tell the requestor which lists they are on by reading through all
	     # the lists, comparing their address to each address from each list