COMMAND

    majordomo

SYSTEMS AFFECTED

    Systems running majordomo

PROBLEM

    James Ponder posted following.  This issue is known stuff as it is
    described in majordomo FAQ, but still present.  When someone sends
    a message to a majordomo list, the mail goes through an alias that
    pipes  the  mail  through  the  wrapper  program  with a series of
    arguments.  One  argument is the  name of another  alias which has
    the  list  of  email  addresses  in  it  (via a sendmail :include:
    directive).  The  problem with this  setup is that  anyone can use
    EXPN on the address that mail goes to in order to reveal the alias
    that contains all the email  addresses, then it's just a  question
    of  using  EXPN  on  that  alias  and sendmail will output all the
    subscriber's email addresses.  Example of such exploit should be:

        telnet somewhere.com 25
        220 somewhere.com ESMTP Sendmail 8.8.5/Somewhere-971021-1 ready at ...
        EXPN somewhere-announce
        250 <"|/usr/local/mail/majordomo/wrapper resend -l somewhere-announce
               -h somewhere.com somewhere-announce-list"@somewhere.com>
        EXPN somewhere-announce-list
        ...

SOLUTION

    Several documents on the  subject (including the FAQ)  do indicate
    that people should choose  a non-guessable alias and  also disable
    EXPN.

    This is actually correctable  by putting the arguments  for resend
    into  a  file...   local  users  could  still  get  at  the   data
    (potentially)  by  grabbing  the  file  if it's not protected, but
    remote users can't.  You still have the problem that someone could
    conceivably guess the  actual alias that  you're using-- but  that
    problem exists regardless.