COMMAND

    majordomo

SYSTEMS AFFECTED

    majordomo

PROBLEM

    'marvin' posted  following.   Though this  is an  old problem,  it
    seems that it's not widely known.

    When majordomo looks  for the admin_passwd  it checks the  line in
    the  lists  config  file  and  compares  it  against  the password
    supplied by the user.  If they match, the password is valid.

    If it doesn't match, majordomo opens the saved password as a  file
    and  reads  a  line  from  the  file.   If  that  line matches the
    user-supplied password, the password is also valid.

    In other words, if you have  the password in a separate file,  you
    have two valid passwords.

    Many tutorials  for setting  up majordomo  say you  should put the
    password in a separate  file named <listname>.passwd.   That makes
    it very trivial to guess the password.

    This was reported TWICE, by  two different people, in 1995.   None
    of the posts  even got a  reply.  The bug  has been confirmed on a
    live majordomo 1.94.3 and the code looks the same for 1.94.5  (the
    latest).

    Code is in majordomo.pl, in main'valid_passwd.

SOLUTION

    Move  passwords  from  separate  files  into  configfiles.  Change
    main'valid_passwd to not compare what's  in the .config file if  a
    file by that name exists.