[28622] in bugtraq
RE: Mailman: cross-site scripting bug
daemon@ATHENA.MIT.EDU (Leif Sawyer)
Fri Jan 24 19:31:37 2003
Message-ID: <BF9651D8732ED311A61D00105A9CA3150BE8778A@berkeley.gci.com>
From: Leif Sawyer <lsawyer@gci.com>
To: webmaster@procheckup.com, bugtraq@securityfocus.com
Date: Fri, 24 Jan 2003 12:32:37 -0900
MIME-Version: 1.0
MIME-Version: 1.0
Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature";
micalg=SHA1;
boundary="----=_NextPart_000_009F_01C2C3A4.9FB669A0"
------=_NextPart_000_009F_01C2C3A4.9FB669A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hmm...
https://workserver//mailman/options/ak3barons?language=<SCRIPT>ale
rt('Can%20Cross%20Site%20Attack')</SCRIPT>
returns:
<h2>Error</h2><strong>Invalid options to CGI script.</strong>
2.0.11 doesn't seem to be vulnerable to this.
(although it's got some other issues, but nothing serious for an
internal site..)
> -----Original Message-----
> From: webmaster@procheckup.com [mailto:webmaster@procheckup.com]
> Sent: Friday, January 24, 2003 5:35 AM
> To: bugtraq@securityfocus.com
> Subject: Mailman: cross-site scripting bug
>
>
>
>
> Product: Mailman
> Affected Version: 2.1 not other version has been tested
> Vendor's URL: http://www.gnu.org/software/mailman/
> Solution: TBC
> Author: Manuel Rodriguez
>
> Introduction:
> ------------
> Mailman is software to help manage electronic mail discussion
> lists, much
> like Majordomo or Smartmail. And Mailman have web interface systems.
>
>
> Example:
> -----------------
> This is a simple example for version 2.1:
>
> 1) With mailman options the email variable is vulnerable to
> cross-site
> scripting.
>
> You can recognise the vulnerabilities with this type of URL:
>
> https://www.yourserver.com:443/mailman/options/yourlist?
> language=en&email=<SCRIPT>alert('Can%20Cross%20Site%20At
> tack')</SCRIPT>
> and that prove that any (malicious) script code is possible on web
> interface part of Mailman.
>
> 2) The default error page mailman generates does not
> adequately filter its
> input making it susceptible to cross-site scripting.
>
> https://www.yourserver.com:443//mailman/options/yourlist?
> language=<SCRIPT>alert('Can%20Cross%20Site%20Attack')<
> ;/SCRIPT>
>
------=_NextPart_000_009F_01C2C3A4.9FB669A0
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFuDCCAngw
ggHhoAMCAQICAwkdJTANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw
MC44LjMwMB4XDTAzMDEyMTIzMjkwOVoXDTA0MDEyMTIzMjkwOVowQTEfMB0GA1UEAxMWVGhhd3Rl
IEZyZWVtYWlsIE1lbWJlcjEeMBwGCSqGSIb3DQEJARYPbHNhd3llckBnY2kuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCu1qlKy81sgP+hQsDnPs7sZfShYyGKmkdL5spm0JpheqGIboGB
IeoGP2sUX++b5TcOhbg5ZCQDd2yT75O9BN0gJLlDzNxabms5mJRBbj5LzCwucQqZG25Seo9sHk8R
mW5hCOQbnULWPEMUTG/kDNtXFZjCr0Om5OWnnTuNHqK4KQIDAQABoywwKjAaBgNVHREEEzARgQ9s
c2F3eWVyQGdjaS5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCChYp5yWCZ5Mh3
h6kbzZgoeCiKM09rHvckT157nuXOj1bqm/HEsCaXDZu/MecPsaEfDixMOFP6Qwg3U67ceGL01yVP
clnNJE/api0+DU7jRBaNI09+RgwegexT6VvIqanB8riRgOtbklZX/NOymHI87yrNshq9UBONeSzc
Pj8FqTCCAzgwggKhoAMCAQICEGZFcrfMdPXPY3ZFhNAukQEwDQYJKoZIhvcNAQEEBQAwgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgG
A1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg
RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3
DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMDA4MzAwMDAwMDBaFw0wNDA4
MjcyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQH
EwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2Vydmlj
ZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzAwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZgpcO40QpimM1Km1wPPrcrvfudG8w
vDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWoJ67Ycvm6AvbXsJHeHOmr4BgDqHxD
QlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGjTjBMMCkGA1UdEQQiMCCkHjAcMRow
GAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIB
BjANBgkqhkiG9w0BAQQFAAOBgQAxsUtHXfkBceX1U2xdedY9mMAmE2KBIqcS+CKV6BtJtyd7BDm6
/ObyJOuR+r3sDSo491BVqGz3Da1MG7wD9LXrokefbKIMWI0xQgkRbLAaadErErJAXWr5edDqLiXd
iuT82w0fnQLzWtvKPPZE6iZph39Ins6ln+eE2MliYq0FxjGCAqowggKmAgEBMIGaMIGSMQswCQYD
VQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNV
BAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNv
bmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzACAwkdJTAJBgUrDgMCGgUAoIIBZTAYBgkqhkiG9w0B
CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzAxMjQyMTMyMTRaMCMGCSqGSIb3DQEJ
BDEWBBTLrJPmgmrzlNy3TsgL1Tx833t3YzBYBgkqhkiG9w0BCQ8xSzBJMAoGCCqGSIb3DQMHMA4G
CCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0C
BTCBqwYJKwYBBAGCNxAEMYGdMIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlm
aWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzAC
AwkdJTANBgkqhkiG9w0BAQEFAASBgG6anRkpeJWBdanaTd9T4XIJn8P3wCYmtygNf0rVN+RqCT1J
bZOiyPGeZIQxzKnWo502WeBT/G7mxHWpklalcRYRe14nH8c8JfAWmMHY0jua1tuyWmYkKPzDDq+L
dQztev8kl0ieFiTOc9N2SnNZC8a0NVc0JoDe5MtFexoOMpzZAAAAAAAA
------=_NextPart_000_009F_01C2C3A4.9FB669A0--
