Re: [Mailman-Developers] Fw: [ham] Mailman: cross-site scriptingbug

Fri, 24 Jan 2003 18:12:40 -0800 

Hmm,

Looks this is the cause of problem in Cgi/options.py

    # Avoid cross-site scripting attacks
    safeuser = Utils.websafe(user)
    # Sanity check the user, but be careful about leaking membership
    # information when we're using private rosters.
    if not mlist.isMember(user) and mlist.private_roster == 0:
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        doc.addError(_('No such member: %(safeuser)s.'))
        loginpage(mlist, doc, None, cgidata)
        print doc.Format()
        return

Pass this check if closed list. ?? should be like this?

    if not mlist.isMember(user):
        if mlist.private_roster:
            safeuser = _('undisclosed')
        doc.addError(_('No such member: %(safeuser)s.')



Michael Meltzer wrote:
saw this on bugtraq, figuried it was a good idea to relay here.

MJM

----- Original Message ----- From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 24, 2003 9:35 AM
Subject: [ham] Mailman: cross-site scripting bug




Product: Mailman
Affected Version: 2.1 not other version has been tested
Vendor's URL: http://www.gnu.org/software/mailman/
Solution: TBC
Author: Manuel Rodriguez

Introduction:
------------
Mailman is software to help manage electronic mail discussion lists, much like Majordomo or Smartmail. And Mailman have web interface systems.


Example:
-----------------
This is a simple example for version 2.1:

1) With mailman options the email variable is vulnerable to cross-site scripting.

You can recognise the vulnerabilities with this type of URL:

https://www.yourserver.com:443/mailman/options/yourlist?
language=en&email=&lt;SCRIPT&gt;alert('Can%20Cross%20Site%20Attack')&lt;/SCRIPT&gt; and that prove that any (malicious) script code is possible on web interface part of Mailman.

2) The default error page mailman generates does not adequately filter its input making it susceptible to cross-site scripting.

https://www.yourserver.com:443//mailman/options/yourlist?
language=&lt;SCRIPT&gt;alert('Can%20Cross%20Site%20Attack')&lt;/SCRIPT&gt;


_______________________________________________
Mailman-Developers mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-developers




--
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/


_______________________________________________
Mailman-Developers mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-developers

Reply via email to