[Mailman-Developers] Fw: [ham] Mailman: cross-site scripting bug

Tokio Kikuchi tkikuchi at is.kochi-u.ac.jp
Sat Jan 25 11:12:43 EST 2003 

Hmm,

Looks this is the cause of problem in Cgi/options.py

     # Avoid cross-site scripting attacks
     safeuser = Utils.websafe(user)
     # Sanity check the user, but be careful about leaking membership
     # information when we're using private rosters.
     if not mlist.isMember(user) and mlist.private_roster == 0:
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
         doc.addError(_('No such member: %(safeuser)s.'))
         loginpage(mlist, doc, None, cgidata)
         print doc.Format()
         return

Pass this check if closed list. ?? should be like this?

     if not mlist.isMember(user):
         if mlist.private_roster:
             safeuser = _('undisclosed')
         doc.addError(_('No such member: %(safeuser)s.')



Michael Meltzer wrote:
> saw this on bugtraq, figuried it was a good idea to relay here.
> 
> MJM
> 
> ----- Original Message ----- 
> From: <webmaster at procheckup.com>
> To: <bugtraq at securityfocus.com>
> Sent: Friday, January 24, 2003 9:35 AM
> Subject: [ham] Mailman: cross-site scripting bug
> 
> 
> 
>>
>>Product: Mailman
>>Affected Version: 2.1 not other version has been tested
>>Vendor's URL: http://www.gnu.org/software/mailman/
>>Solution: TBC
>>Author: Manuel Rodriguez
>>
>>Introduction:
>>------------
>>Mailman is software to help manage electronic mail discussion lists, much 
>>like Majordomo or Smartmail.  And Mailman have web interface systems.
>>
>>
>>Example:
>>-----------------
>>This is a simple example for version 2.1:
>>
>>1) With mailman options the email variable is vulnerable to cross-site 
>>scripting.
>>
>>You can recognise the vulnerabilities with this type of URL:
>>
>>https://www.yourserver.com:443/mailman/options/yourlist?
>>language=en&email=&lt;SCRIPT&gt;alert('Can%20Cross%20Site%20Attack')&lt;/SCRIPT&gt; 
>>and that prove that any (malicious) script code is possible on web 
>>interface part of Mailman.
>>
>>2) The default error page mailman generates does not adequately filter its 
>>input making it susceptible to cross-site scripting.
>>
>>https://www.yourserver.com:443//mailman/options/yourlist?
>>language=&lt;SCRIPT&gt;alert('Can%20Cross%20Site%20Attack')&lt;/SCRIPT&gt;
>>
> 
> 
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> 
> 


-- 
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/

More information about the Mailman-Developers mailing list