RE: Mailman: cross-site scripting bug

From: Leif Sawyer (lsawyer@gci.com)
Date: 01/24/03

  • Next message: StatiX Statix: "List Site Pro v2 user account Hijacking vulnerablity"
    From: Leif Sawyer <lsawyer@gci.com>
    To: webmaster@procheckup.com, bugtraq@securityfocus.com
    Date: Fri, 24 Jan 2003 12:32:37 -0900
    
    
    

    Hmm...

    https://workserver//mailman/options/ak3barons?language=&lt;SCRIPT&gt;ale_____ <br> <p>Bug IDs fixed (see <a href="https:(although it's got some other issues, but nothing serious for an
    rt('Can%20Cross%20Site%20Attack')&lt;/SCRIPT&gt;

    returns:

    <h2>Error</h2><strong>Invalid options to CGI script.</strong>

    2.0.11 doesn't seem to be vulnerable to this.

    (although it's got some other issues, but nothing serious for an
    internal site..)

    > -----Original Message-----
    > From: webmaster@procheckup.com [mailto:webmaster@procheckup.com]
    > Sent: Friday, January 24, 2003 5:35 AM
    > To: bugtraq@securityfocus.com
    > Subject: Mailman: cross-site scripting bug
    >
    >
    >
    >
    > Product: Mailman
    > Affected Version: 2.1 not other version has been tested
    > Vendor's URL: http://www.gnu.org/software/mailman/
    > Solution: TBC
    > Author: Manuel Rodriguez
    >
    > Introduction:
    > ------------
    > Mailman is software to help manage electronic mail discussion
    > lists, much
    > like Majordomo or Smartmail. And Mailman have web interface systems.
    >
    >
    > Example:
    > -----------------
    > This is a simple example for version 2.1:
    >
    > 1) With mailman options the email variable is vulnerable to
    > cross-site
    > scripting.
    >
    > You can recognise the vulnerabilities with this type of URL:
    >
    > https://www.yourserver.com:443/mailman/options/yourlist?
    > language=en&email=&lt;SCRIPT&gt;alert('Can%20Cross%20Site%20At
    > tack')&lt;/SCRIPT&gt;
    > and that prove that any (malicious) script code is possible on web
    > interface part of Mailman.
    >
    > 2) The default error page mailman generates does not
    > adequately filter its
    > input making it susceptible to cross-site scripting.
    >
    > https://www.yourserver.com:443//mailman/options/yourlist?
    > language=&lt;SCRIPT&gt;alert('Can%20Cross%20Site%20Attack')&lt
    > ;/SCRIPT&gt;
    >