[ mailman-Patches-674553 ] patch for options.py cross site scripting bug

SourceForge.net noreply at sourceforge.net
Mon Feb 3 22:20:17 EST 2003 

Patches item #674553, was opened at 2003-01-25 12:42
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=674553&group_id=103

Category: Web UI
Group: Mailman 2.1
>Status: Closed
Resolution: None
Priority: 8
Submitted By: Tokio Kikuchi (tkikuchi)
Assigned to: Nobody/Anonymous (nobody)
Summary: patch for options.py cross site scripting bug

Initial Comment:
fix this issue

Example:
-----------------
This is a simple example for version 2.1:

1) With mailman options the email variable is
vulnerable to cross-site scripting.

You can recognise the vulnerabilities with this type of
URL:

https://www.yourserver.com:443/mailman/options/yourlist?
language=en&email=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
and that prove that any (malicious) script code is
possible on web interface part of Mailman.

2) The default error page mailman generates does not
adequately filter its input making it susceptible to
cross-site scripting.

https://www.yourserver.com:443//mailman/options/yourlist?
language=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>



----------------------------------------------------------------------

>Comment By: Tokio Kikuchi (tkikuchi)
Date: 2003-02-04 06:20

Message:
Logged In: YES 
user_id=67709

I think this can be closed now.


----------------------------------------------------------------------

Comment By: Barry A. Warsaw (bwarsaw)
Date: 2003-01-26 21:33

Message:
Logged In: YES 
user_id=12800

Very good.  Here's the patch I intend to commit and
advertise as a fix for the cross-site scripting bug.  This
additionally fixes a crash when the language cgi variable is
deliberately given a bogus value.

----------------------------------------------------------------------

Comment By: Tokio Kikuchi (tkikuchi)
Date: 2003-01-26 04:17

Message:
Logged In: YES 
user_id=67709

Please review my second patch. It use Utils.ValidateEmail()
and return immediately if the input string is insecure.
Also, websafe(user) again to secure the final output.

Note that the Exapmle is circulated in bugtraq


----------------------------------------------------------------------

Comment By: Barry A. Warsaw (bwarsaw)
Date: 2003-01-25 15:24

Message:
Logged In: YES 
user_id=12800

Please try this more comprehensive fix.  If it looks good, I
will issue a security patch later today.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=674553&group_id=103

More information about the Mailman-coders mailing list