Cgisecurity.com Advisory #7: Mailman Email Archive Cross Site Scripting
From: zeno (zeno@cgisecurity.net)Date: 11/28/01
- Previous message: John Imrie: "Re: Sendpage (Perl CGI) Remote Execution Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: zeno <zeno@cgisecurity.net> Message-Id: <200111281009.fASA9uw07967@cgisecurity.net> Subject: Cgisecurity.com Advisory #7: Mailman Email Archive Cross Site Scripting To: bugs@securitytracker.com, bugtraq@securityfocus.com, vuln-dev@securityfocus.com, vulnwatch@vulnwatch.org Date: Wed, 28 Nov 2001 05:09:56 -0500 (EST)
Hello,
This isn't a major threat or anything but this product does allow cross site scripting.
From the list of sites below as examples you get an idea of just how popular this product is.
http://www1.dshield.org/mailman/listinfo/ Patching information is included within the advisory.
- zeno
PS: advisory can also be located at http://www.cgisecurity.org/advisory/7.txt
[ Cgi Security Advisory #7 ]
Found
Public Release
Vendor Contacted
Scripts Effected: Mailman Email Archiver
Versions:
Platforms:
Vendor:
1. Problem
This product is affected by a Cross Site Scripting hole, which may allow
http://host/mailman/listinfo/ This will gladly show you a pop up javascript box.
2. Fixes
The vendor has been notified of the problem,
TarBalls
Published to the Public November 2001
http://mail.gnu.org/mailman/listinfo/
http://lists.bell-labs.com/mailman/listinfo/
http://mail.gnome.org/mailman/listinfo/
http://www.lists.apple.com/mailman/listinfo/
admin@cgisecurity.com
Mailman Email archiver Cross Site Scripting Hole
November 2001
Sometime in November 2001
November 2001
Price: Free
All Versions appear to be effected
Unix, Linux, Other?
http://sourceforge.net/projects/mailman
an attacker to trick a user into thinking something the attacker wrote
actually came from the site that is effected. This involves some social
engineering to a point but could possibly allow gathering of user information
and other types of fraud.
Upgrade to version 2.0.8 in order to fix this problem.
http://sourceforge.net/project/showfiles.php?group_id=103
Copyright November 2001 Cgisecurity.com
Relevant Pages
... MajorSecurity Advisory #32]phpComasy CMS - Multiple Cross Site Scripting Issues ... phpComasy CMS is a Content Management System. ... the vendor contacted me ...
(Bugtraq)
... MailBee WebMail Pro - Cross Site Scripting Issue ... Original Advisory: ... discovery of the vulnerability ... vendor confirmed the bugs ...
(Bugtraq)
... This isn't a major threat or anything but this product does allow cross site scripting. ... Patching information is included within the advisory. ... Vendor Contacted ... Scripts Effected: Mailman Email Archiver ...
(Vuln-Dev)
... Advisory: ActiveWeb Contentserver CMS Multiple Cross Site Scriptings ... RedTeam Pentesting discovered three Cross Site Scripting ... The vulnerability is fixed in release 5.6.2964. ...
(Full-Disclosure)
... Advisory: ActiveWeb Contentserver CMS Multiple Cross Site Scriptings ... RedTeam Pentesting discovered three Cross Site Scripting ... The vulnerability is fixed in release 5.6.2964. ...
(Bugtraq)
