*** This bug is a security vulnerability *** Private security bug reported:
A URL with a very long text listname such as https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phishing_text will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site. This issue was discovered by Abderrahmane Sahnoun <[email protected]>. same as CVE-2018-13796 ** Affects: mailman Importance: Undecided Assignee: Abderrahmane Sahnoun (xvirusdz) Status: New ** Changed in: mailman Assignee: (unassigned) => Abderrahmane Sahnoun (xvirusdz) ** Description changed: hi team, im Abderrahmane Sahnoun Algerian Security Researcher when i was exploring your website i have found a bug witch done the possibility to A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site in GNU Mailman 2.1.33. it's the same like CVE-2018-13796 here a example of it: - https://homewalkers.net/mailman/roster/wassim + https://homewalkers.net/mailman/roster/type_any_thing_here I await your reply at the earliest time Sincerely; ** Description changed: - hi team, - im Abderrahmane Sahnoun Algerian Security Researcher when i was exploring your website i have found a bug witch done the possibility to A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site in GNU Mailman 2.1.33. - it's the same like CVE-2018-13796 - here a example of it: - https://homewalkers.net/mailman/roster/type_any_thing_here - I await your reply at the earliest time - Sincerely; + A URL with a very long text listname such as + https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phishing_text + will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site. + + This issue was discovered by Abderrahmane Sahnoun + <[email protected]>. ** Changed in: mailman Assignee: Abderrahmane Sahnoun (xvirusdz) => (unassigned) ** Description changed: A URL with a very long text listname such as https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phishing_text will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site. - This issue was discovered by Abderrahmane Sahnoun - <[email protected]>. + This issue was discovered by Abderrahmane Sahnoun <[email protected]>. + same as CVE-2018-13796 ** Changed in: mailman Assignee: (unassigned) => Abderrahmane Sahnoun (xvirusdz) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1913241 Title: A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1913241/+subscriptions _______________________________________________ Mailman-coders mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/mailman-coders.python.org/ Member address: [email protected]
