Re: Mailman: cross-site scripting bug

From: Axel Beckert - ecos gmbh (beckert@ecos.de)
Date: 01/27/03

  • Next message: S G Masood: "Security Issues in Rediff Bol Messenger"
    Date: Mon, 27 Jan 2003 21:28:09 +0100
    From: Axel Beckert - ecos gmbh <beckert@ecos.de>
    To: bugtraq@securityfocus.com
    
    

    At Fri, Jan 24, 2003 at 12:32:37PM -0900, Leif Sawyer wrote:
    > https://workserver//mailman/options/ak3barons?language=&lt;SCRIPT&gt;alebility: <br> ---------------------- <br> <p><p> <h2>Error</h2><strong>Invalid options to CGI script.</strong>
    > rt('Can%20Cross%20Site%20Attack')&lt;/SCRIPT&gt;
    >
    > returns:
    >
    > <h2>Error</h2><strong>Invalid options to CGI script.</strong>
    >
    > 2.0.11 doesn't seem to be vulnerable to this.

    Same counts for 2.0.13 on Apache 1.3.27.

                Kind regards, Axel Beckert

    -- 
    -------------------------------------------------------------
    Axel Beckert      ecos electronic communication services gmbh
    Internetconnect * Webserver/-design/-datenbanken * Consulting
    Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
    E-Mail:     beckert@ecos.de         Voice:   +49 6133 939-220
    WWW:        http://www.ecos.de/     Fax:     +49 6133 939-111
    -------------------------------------------------------------