[Mailman-Developers] Fw: [ham] Mailman: cross-site scripting
bug
Tokio Kikuchi
tkikuchi at is.kochi-u.ac.jp
Sat Jan 25 11:12:43 EST 2003
Hmm,
Looks this is the cause of problem in Cgi/options.py
# Avoid cross-site scripting attacks
safeuser = Utils.websafe(user)
# Sanity check the user, but be careful about leaking membership
# information when we're using private rosters.
if not mlist.isMember(user) and mlist.private_roster == 0:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
doc.addError(_('No such member: %(safeuser)s.'))
loginpage(mlist, doc, None, cgidata)
print doc.Format()
return
Pass this check if closed list. ?? should be like this?
if not mlist.isMember(user):
if mlist.private_roster:
safeuser = _('undisclosed')
doc.addError(_('No such member: %(safeuser)s.')
Michael Meltzer wrote:
> saw this on bugtraq, figuried it was a good idea to relay here.
>
> MJM
>
> ----- Original Message -----
> From: <webmaster at procheckup.com>
> To: <bugtraq at securityfocus.com>
> Sent: Friday, January 24, 2003 9:35 AM
> Subject: [ham] Mailman: cross-site scripting bug
>
>
>
>>
>>Product: Mailman
>>Affected Version: 2.1 not other version has been tested
>>Vendor's URL: http://www.gnu.org/software/mailman/
>>Solution: TBC
>>Author: Manuel Rodriguez
>>
>>Introduction:
>>------------
>>Mailman is software to help manage electronic mail discussion lists, much
>>like Majordomo or Smartmail. And Mailman have web interface systems.
>>
>>
>>Example:
>>-----------------
>>This is a simple example for version 2.1:
>>
>>1) With mailman options the email variable is vulnerable to cross-site
>>scripting.
>>
>>You can recognise the vulnerabilities with this type of URL:
>>
>>https://www.yourserver.com:443/mailman/options/yourlist?
>>language=en&email=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
>>and that prove that any (malicious) script code is possible on web
>>interface part of Mailman.
>>
>>2) The default error page mailman generates does not adequately filter its
>>input making it susceptible to cross-site scripting.
>>
>>https://www.yourserver.com:443//mailman/options/yourlist?
>>language=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
>>
>
>
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
>
>
--
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/
More information about the Mailman-Developers
mailing list