[Mailman-Developers] bugs in 2.1.2
Barry Warsaw
barry at python.org
Sun Sep 28 11:56:24 EDT 2003
On Fri, 2003-09-26 at 09:21, ned wrote:
> Hello list,
> i've been poking and prodding mailman for about an hour now...found a few
> things which could be not seen as secure (although they dont have any real
> impact...):
> first there is a XSS (cross site scripting) bug in create.py in Cgi/. just
> enter
> "><script>alert("hi")</script>. putting a Utils.Websafe (is that right)
> shoudl fix it...
>
> second small bug in Mailist.Mailist, here's a quick demo:
> http://mail.python.org/mailman/listinfo/(X * 500). nice little info
> disclosure hole...easily fixed by restricting lengths on filenames that
> open() uses. but you already knew that!
Good catches and good timing! The fixes will be in Mailman 2.1.3.
-Barry
More information about the Mailman-Developers
mailing list