Hi,

I think I've stumbled on a possible Cross-Site-Scripting vulnerability in Mailman 2.1.4. Take a look:

* Set up a new list and configure it with private archives
* Try to view the archives - enter something like <script language="JavaScript">window.alert(document.cookie)</script> into the EMail Address box. Click on "Let me in."


On a side note, is it possible for that page to not reveal any sensitive information such as path and environmental variables?

-Ho Yin


------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: [EMAIL PROTECTED]
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Reply via email to