[Mailman-Developers]
[ mailman-Bugs-558208 ] Unescaped HTML in subject lines
noreply@sourceforge.net
noreply@sourceforge.net
Mon, 20 May 2002 08:10:07 -0700
Bugs item #558208, was opened at 2002-05-20 06:16
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=100103&aid=558208&group_id=103
>Category: None
>Group: None
>Status: Open
Resolution: Out of Date
Priority: 5
Submitted By: Tristan Roddis (tristan_roddis)
Assigned to: Nobody/Anonymous (nobody)
Summary: Unescaped HTML in subject lines
Initial Comment:
Currently (in 2.0.x and up to 2.1b2), then the archive
index pages do not escape HTML in the subject lines of
posts. This exposes the possibility of malicious or
annoying list members being able to invoke cross site
javascript on the index pages, or simply corrupt the
archive display by adding HTML fragments (e.g. '<font
size="10"> without a corresponding </font>')
The fix is extremely simple, just edit the
file /home/mailman/Mailman/Archiver/HyperArch.py so
that the function
write_index_entry() (which starts at or near line 882
in v2.06) so that its last
line reads as follows:
print index_entry_template % (urllib.quote
(article.filename),
html_quote
(subject), article.sequence,
author)
[i.e. add the crucial html_quote() function around the
subject]
Hope that helps,
-Tristan.
----------------------------------------------------------------------
>Comment By: Barry Warsaw (bwarsaw)
Date: 2002-05-20 11:10
Message:
Logged In: YES
user_id=12800
I'm re-opening this but moving it to the bugs tracker.
I believe MM2.0.10 is vulnerable to this attack and the fix
is simple. MM2.1b2 is not vulnerable because if you look at
line 859 in HyperArch.py, you'll see that the subject and
author fields are always CGIescape()'d.
----------------------------------------------------------------------
Comment By: Tristan Roddis (tristan_roddis)
Date: 2002-05-20 09:47
Message:
Logged In: YES
user_id=549463
I've just had a look, and the offending line is still there
in the file HyperArch.py for both versions (line number 882
in 2.10, and line 862 from both the mailman2.1b2.tar
archive and the latest CVS). Note that there was never this
problem with the subject lines for each individual article -
it's only the index pages that are missing the HTML
quoting function.
HTH,
-T.
----------------------------------------------------------------------
Comment By: Barry Warsaw (bwarsaw)
Date: 2002-05-20 09:26
Message:
Logged In: YES
user_id=12800
I believe this report is out of date. All known cross-site
scripting attacks have been fixed as of MM2.0.10 and I don't
believe MM2.1b2 is vulnerable. I double checked the code in
each version and indeed both versions make sure to quote any
html in subjects.
Can you please double check the latest versions (2.0.10 and
2.1cvs).
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=100103&aid=558208&group_id=103