Mailing list application Majordomo reveals file content

A bug in the way path names are evaluated means that it is possible to view the content of arbitrary files on a Majordomo mailing list system using the help command. The vulnerability can be exploited via both the web and email interfaces in Mojordomo2. According to a security advisory, simply sending an email with the content help ../../../../../../../../../../../../../etc/passwd to the Majordomo account is sufficient to receive a response containing the content of the /etc/password file. The bug is fixed in snapshot versions majordomo-20110125 (direct download) and later.

The bug was originally discussed in Mozilla's Bugzilla database, a discussion which throws up some interesting insights. Mozilla also apparently makes use of the Perl application. Although there is an intention to move to a more up-to-date mailing list tool in the form of Mailman, the work involved in converting the archive has meant that the move has tended to end up on the back burner.

Moving away from Majordomo looks all the more advisable as the application is no longer being actively maintained. An email to the official Majordomo maintainer bounces and the ex-lead developer reports that he has not heard from the current lead in years. Fortunately, Jason Tibbitts, who maintains the CVS server and the Majordomo mailing list, did react to the bug report and fixed the bug. He notes that there were never any official releases of Majordomo, just snapshots and the repository.

There is also some discussion of whether, as a vulnerability in the Mozilla infrastructure, discovery of the bug is worth a bounty as part of Mozilla's extended bug bounty programme. In December 2010, the Mozilla Foundation extended its bounty program to include security vulnerabilities in web applications, which would include the bugzilla.mozilla.org server.

(crve)