https://cxsecurity.com/issue/WLB-2007100056
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-379

Majordomo是一款开放源代码流行的邮件列表系统。Majordomo没有充分处理好对订阅者列表信息的请求，远程攻击者可以利用这个漏洞发送特殊命令获得订阅者列表。如果Majordomo配置文件中设置’which_access’选项为”open”，那么所有邮件地址可以被攻击者获得。默认情况下，’which_access’设置为”open”。Majordomo有如下文档描述：”默认情况下，任何人(包含不是订阅者)可以使用”who”，”which”，”index”，和”get”获得列表。如你在$listdir目录中建立一个名为”listname.private”的空文件，只有列表成员才能使用这些命令。”利用发送”which@”和”which.”命令，可以获得详细的订阅者邮件列表信息。

------------------------------------------------------------------------
------- 
Title                   : Majordomo info leakage (all versions) 
Date                    : 03/02/2003 
Article by              : Marco van Berkum (m.v.berkum (at) obit (dot) nl [email concealed]) 
Bug finder              : Jakub Klausa (jacke (at) bofh (dot) pl [email concealed]) 
Investigated by         : Jakub Klausa and Marco van Berkum 
------------------------------------------------------------------------
-------

Introduction:
--------------
Some while ago Jakub Klausa mailed me about a problem regarding the
Majordomo mailinglist program. At first we were not sure if it was a one
time problem or a common issue, so we checked several other servers
and installed Majordomo ourselves and found ALL Majordomo versions to
be vulnerable, also the latest Majordomo 2 (alpha).

The problem:
---------------
All email addresses can be extracted from mailinglists for which
'which_access' is set to "open" in the configuration file, which_access
is set to "open" by default !!

Majordomo 1.94.5 documentation quote:

"8.  By default, anyone (even non-subscribers) can use the commands
         "who", "which", "index", and "get" on a list.  If you create an
         empty file named "listname.private" in the $listdir directory, only
         members of the list can use those commands."

Typical case of RTFDOC of course, but still, why isn't the private
configuration file the default one (?!), now people actually have to read
the documentation to protect their lists against evil spammers. We all
know that admins do not always read the docs (uhuh).

So this bug can be exploited without being subscribed to any mailinglist
on that server when "which_access" is set to open. This bug can be exploited
by sending:

which @

or

which .

To the Majordomo daemon. Majordomo will then match "@" (or ".") on all the
mailinglists that have 'which_access' set to "open". This then matches
all email addresses that are subscribed to that list.

There is a slight difference between the new Majordomo 2 (alpha) and the
current Majordomo 1.94.x branch.

Majordomo 1.94.x gives output such as this:

>>>> which @
The string '@' appears in the following
entries in lists served by majordomo (at) somedomain (dot) com [email concealed]:

List                    Address
====                    =======
test-list               user (at) somedomain (dot) com [email concealed]
test-list               anotheruser (at) anotherdomain (dot) com [email concealed]
another-list            satan (at) evilmajordomodomain (dot) net [email concealed]
another-list            bush (at) sopranos (dot) org [email concealed]

etc...

Majordomo 2 also has the bug, not as much as the 1.94.x though:

>>>> which @
The pattern "/@/i"
matched the following subscriptions.

Matches for the devils mailing list:
  satan (at) majordomo (dot) org [email concealed]
-- Match limit of 1 for devils exceeded.

Matches for the britney mailing list:
  eminem (at) spears (dot) net [email concealed]
-- Match limit of 1 for britney exceeded.

Impact:
-------
High. Not only privacy is the issue here, this bug could be used by evil
spammers to fill their databases. And the users did much of their work for 
them already, as the victims are usually well targeted (subject-specific 
mailinglists come to mind).

Solution:
---------
general: 
Read the documentation regarding $listname.private and set all which_access 
to "closed", or update to Majordomo 2 alpha, which still requires the same attention.

Majordomo 1.94.5 and earlier:
As mentioned by the documentation that comes with Majordomo 1.94.5, 
create an empty file named "$listname.private" in the $listdir. 
It will only reduce the group of people being able to pick up all the addresses
to the ones subscribed to the list. Check your current configurations for 
open which_access, close them.

Majordomo 2:
The authors responded quickly and changed default configuration settings 
to be "closed". Get the latest CVS version, and check your current 
configurations for open which_access, which_access should be closed at 
any time.

Jakub made a patch for Majordomo 1.94.5.

[Patch]
This is a patch for Majordomo 1.94.5, which makes the Majordomo 
ignore the 'which' request if they don't contain e-mail address-like
string as a parameter (roughly).

--- majordomo.orig      Mon Feb  3 13:23:45 2003
+++ majordomo   Mon Feb  3 13:23:23 2003
@@ -624,6 +624,11 @@
 
 sub do_which {
     local($subscriber) = join(" ", @_) || &valid_addr($reply_to);
+    if ($subscriber !~ /^[0-9a-zA-Z.-_]+@[0-9a-zA-Z.-]+.[a-zA-Z]{2,3}$/) {
+       
+       &log("which abuse -> $subscriber passed as an argument.");
+       exit(0);
+       };
     local($count, $per_list_hits) = 0;
     # Tell the requestor which lists they are on by reading through all
     # the lists, comparing their address to each address from each list

Cheers

Marco van Berkum / http://ws.obit.nl / m.v.berkum (at) obit (dot) nl [email concealed]
Jakub Klausa / jacke (at) bofh (dot) pl [email concealed]

-- 
find / -user your -name base -exec chown us:us {};
 ----------------------------------------
|    Marco van Berkum / MB17300-RIPE     |
| m.v.berkum (at) obit (dot) nl [email concealed] / http://ws.obit.nl |
 ----------------------------------------

来源:XF
名称:majordomo-whichaccess-email-disclosure(11243)
链接:http://xforce.iss.net/xforce/xfdb/11243
来源:BID
名称:6761
链接:http://www.securityfocus.com/bid/6761
来源:BUGTRAQ
名称:20030204Majordomoinfoleakage,allversions
链接:http://www.securityfocus.com/archive/1/310113
来源:SREASON
名称:3235
链接:http://securityreason.com/securityalert/3235
来源：NSFOCUS
名称：4325
链接：http://www.nsfocus.net/vulndb/4325