Re: Mailman: cross-site scripting bug

From: Axel Beckert - ecos gmbh (beckert@ecos.de)
Date: 01/27/03

Next message: S G Masood: "Security Issues in Rediff Bol Messenger"

Previous message: Grégory: "[SCSA-003] Multiple Cross Site Scripting & Script Injection Vulnerabilities in Nuked-Klan"
In reply to: Leif Sawyer: "RE: Mailman: cross-site scripting bug"
Next in thread: Barry Warsaw: "Re: Mailman: cross-site scripting bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 27 Jan 2003 21:28:09 +0100
From: Axel Beckert - ecos gmbh <beckert@ecos.de>
To: bugtraq@securityfocus.com

At Fri, Jan 24, 2003 at 12:32:37PM -0900, Leif Sawyer wrote:
> https://workserver//mailman/options/ak3barons?language=<SCRIPT>alebility: <br> ---------------------- <br> <p><p> <h2>Error</h2><strong>Invalid options to CGI script.</strong>
> rt('Can%20Cross%20Site%20Attack')</SCRIPT>
>
> returns:
>
> <h2>Error</h2><strong>Invalid options to CGI script.</strong>
>
> 2.0.11 doesn't seem to be vulnerable to this.

Same counts for 2.0.13 on Apache 1.3.27.

Kind regards, Axel Beckert

-- 
-------------------------------------------------------------
Axel Beckert      ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     beckert@ecos.de         Voice:   +49 6133 939-220
WWW:        http://www.ecos.de/     Fax:     +49 6133 939-111
-------------------------------------------------------------

Next message: S G Masood: "Security Issues in Rediff Bol Messenger"
Previous message: Grégory: "[SCSA-003] Multiple Cross Site Scripting & Script Injection Vulnerabilities in Nuked-Klan"
In reply to: Leif Sawyer: "RE: Mailman: cross-site scripting bug"
Next in thread: Barry Warsaw: "Re: Mailman: cross-site scripting bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]