[Mailman-Developers] Question about fix for CVE-2006-3636
Juan Ignacio Germano
jigermano at gmail.com
Mon Oct 23 18:03:20 CEST 2006
Hi everyone. Can anyone tell how is it that the XSS indicated by this
advisory was fixed? I might be something wrong here, but can't see
what is it.
I was using a fairly old version (2.1.5), and upgraded to 2.1.9. To my
surprise, the XSS using the URL with listinfo.html is still working,
changing the content (HTML) of the list's info using the PoC URL of
the said advisory. Reading the code for edithtml.py I can still see
problems here: passing the values using GET still works, and the
regular expression looking for <[/]?script.*> still is case sensitive.
The diff between revision 7723 and 8001 for edithtml.py
(Release_2_1-maint branch) gives me:
Index: edithtml.py
===================================================================
--- edithtml.py (revision 7723)
+++ edithtml.py (working copy)
@@ -143,7 +143,8 @@
doc.AddItem('<p>')
doc.AddItem('<hr>')
form = Form(mlist.GetScriptURL('edithtml') + '/' + template_name)
- text = Utils.websafe(Utils.maketext(template_name, raw=1, mlist=mlist))
+ text = Utils.maketext(template_name, raw=1, mlist=mlist)
+ # MAS: Don't websafe twice. TextArea does it.
form.AddItem(TextArea('html_code', text, rows=40, cols=75))
form.AddItem('<p>' + _('When you are done making changes...'))
form.AddItem(SubmitButton('submit', _('Submit Changes')))
I am sure I'm doing something wrong, but can't see what is it. Where's the fix?
Cheers,
--
Juan
More information about the Mailman-Developers
mailing list