Change default configuration options
which_access open -> closed who_access open -> closed max_which_hits 0 -> 1 Those would allow a spammer to harvest all subscriber addresses if not changed by the list admin. Reported on http://online.securityfocus.com/archive/1/310113/2003-02-03/2003-02-09/0 Don't restrict the which arguments as the article suggests, though, because with which_access list and max_which_hits 1, there's no reason to destroy a useful command.
This commit is contained in:
dhartmei
parent
bd997406d1
commit
e97d74c80a
13
mail/majordomo/patches/patch-config_parse_pl
Normal file
13
mail/majordomo/patches/patch-config_parse_pl
Normal file
@ -0,0 +1,13 @@
|
||||
--- config_parse.pl.orig Fri Jan 7 15:00:26 2000
|
||||
+++ config_parse.pl Thu Feb 6 20:13:40 2003
|
||||
@@ -80,8 +80,8 @@
|
||||
'announcements', 'yes', # send sub/unsub audits to list owner
|
||||
'get_access', "open\001closed\001list\001list", # open, anyone can access
|
||||
'index_access', "open\001closed\001list\001open", # closed, nobody can
|
||||
- 'who_access', "open\001closed\001list\001open", # list, only list can access.
|
||||
- 'which_access', "open\001closed\001list\001open", # ...more to come...
|
||||
+ 'who_access', "open\001closed\001list\001closed", # list, only list can access.
|
||||
+ 'which_access', "open\001closed\001list\001closed", # ...more to come...
|
||||
'info_access', "open\001closed\001list\001open", #
|
||||
'intro_access', "open\001closed\001list\001list", #
|
||||
'advertise', '', # if regexp matches address show list
|
||||
@ -1,5 +1,5 @@
|
||||
--- sample.cf.orig Wed Aug 27 17:00:31 1997
|
||||
+++ sample.cf Thu Jan 11 13:17:17 2001
|
||||
--- sample.cf.orig Thu Feb 6 20:20:08 2003
|
||||
+++ sample.cf Thu Feb 6 20:21:45 2003
|
||||
@@ -27,7 +27,7 @@
|
||||
|
||||
# $listdir -- Where are the mailing lists?
|
||||
@ -52,7 +52,18 @@
|
||||
#
|
||||
#exit 75 if ($avg_15_minutes >= $max_loadavg); # E_TEMPFAIL
|
||||
#
|
||||
@@ -169,8 +169,8 @@
|
||||
@@ -164,13 +164,18 @@
|
||||
# number of hits that are allowed using which before an error is returned.
|
||||
# Arguably this should be a per list settable number.
|
||||
#
|
||||
-$max_which_hits = 0;
|
||||
+# Setting the value to 0 disables the limit. Note that spammmers
|
||||
+# could try to harvest your subscriber's addresses by sending a
|
||||
+# broad which command. Compare with which_access and who_access
|
||||
+# list configuration option.
|
||||
+#
|
||||
+$max_which_hits = 1;
|
||||
|
||||
# Set the umask for the process. Used to set default file status for
|
||||
# config file.
|
||||
#
|
||||
@ -63,7 +74,7 @@
|
||||
|
||||
# don't change this. It checks to make sure that you have a new enough
|
||||
# version of perl to run majordomo. It is in here because this file is
|
||||
@@ -188,9 +188,8 @@
|
||||
@@ -188,9 +193,8 @@
|
||||
# Directory where resend temporarily puts its rewritten output message.
|
||||
# For the paranoid, this could be changed to a directory that only
|
||||
# majordomo has r/w permission to.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user