[28675] in bugtraq
Re: Mailman: cross-site scripting bug
daemon@ATHENA.MIT.EDU (Axel Beckert - ecos gmbh)
Mon Jan 27 16:18:37 2003
Date: Mon, 27 Jan 2003 21:28:09 +0100
From: Axel Beckert - ecos gmbh <beckert@ecos.de>
To: bugtraq@securityfocus.com
Message-ID: <20030127202809.GL1206@ecos.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BF9651D8732ED311A61D00105A9CA3150BE8778A@berkeley.gci.com>
At Fri, Jan 24, 2003 at 12:32:37PM -0900, Leif Sawyer wrote:
> https://workserver//mailman/options/ak3barons?language=<SCRIPT>ale
> rt('Can%20Cross%20Site%20Attack')</SCRIPT>
>
> returns:
>
> <h2>Error</h2><strong>Invalid options to CGI script.</strong>
>
> 2.0.11 doesn't seem to be vulnerable to this.
Same counts for 2.0.13 on Apache 1.3.27.
Kind regards, Axel Beckert
--
-------------------------------------------------------------
Axel Beckert ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: beckert@ecos.de Voice: +49 6133 939-220
WWW: http://www.ecos.de/ Fax: +49 6133 939-111
-------------------------------------------------------------
