[Bug 1614841] [NEW] CSRF protection needs to be extended to the user options page

Public bug reported:
There is a possibility of a CSRF attack via the user options page which could allow an attacker to discover a user's password.
** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: In Progress

CVE-2016-6893 has been assigned for this issue.
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-6893

** Description changed:
There is a possibility of a CSRF attack via the user options page which - could allow an attacker to discover a user's password. + could allow an attacker to discover a user's password. Reported by + Nishant Agarwala.

What versions does this bug effect?

What versions?
All Mailman 2.1.x prior to 2.1.23. However, versions older than 2.1.15 are also vulnerable to CSRF attacks on the admin web interface.

** Changed in: mailman Status: In Progress => Fix Released

A patch to fix this which is applicable to Mailman >= 2.1.15 and <= 2.1.22 is attached here. This fix has also been released as part of Mailman 2.1.23.
** Attachment added: "Patch for CVE-2016-6893" https://bugs.launchpad.net/mailman/+bug/1614841/+attachment/4732645/+files/p...

The patch attached at https://bugs.launchpad.net/mailman/+bug/1614841/comments/4 may look garbled if opened in your browser, but the downloaded file should be OK.

Re Comment #3 it appears this has triggered a new CVE-2016-7123 to be issued just based on this one line that Mark Sapiro wrote with no other confirmation than this launchpad bug #1614841, but I wonder if the latter CVE (CVE-2016-7123) is a duplicate of the old CVE-2011-0707, or a new separate issue. Haven't been able to find relevant information so far, and people are also wondering and reporting this elsewhere. https://www.cvedetails.com/cve/CVE-2011-0707/
Related: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212378 <- requesting FreeBSD to list CVE-2016-7123 as a new bug (note that FreeBSD already marked CVE-2016-6893 which covers a wider span of versions).
** Bug watch added: bugs.freebsd.org/bugzilla/ #212378 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212378
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-0707
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7123

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7123

CVE-2011-0707 is not related to this CSRF issue. It references an XSS vulnerability that was fixed in Mailman 2.1.15 and so noted in the changelog of that release at https://launchpad.net/mailman/2.1/2.1.15
CVE-2016-7123 is a new CVE that apparently just acknowledging the CSRF vulnerability in the admin interface that exists in Mailman prior to 2.1.15. See https://bugs.launchpad.net/mailman/+bug/775294
participants (3)
-
Mark Sapiro
-
Matthias Andree
-
Mike Cave