Patches item #674553, was opened at 2003-01-25 12:42 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=674553&group_id=103 Category: Web UI Group: Mailman 2.1

Status: Closed Resolution: None Priority: 8 Submitted By: Tokio Kikuchi (tkikuchi) Assigned to: Nobody/Anonymous (nobody) Summary: patch for options.py cross site scripting bug

Initial Comment: fix this issue Example: ----------------- This is a simple example for version 2.1: 1) With mailman options the email variable is vulnerable to cross-site scripting. You can recognise the vulnerabilities with this type of URL: https://www.yourserver.com:443/mailman/options/yourlist? language=en&email=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> and that prove that any (malicious) script code is possible on web interface part of Mailman. 2) The default error page mailman generates does not adequately filter its input making it susceptible to cross-site scripting. https://www.yourserver.com:443//mailman/options/yourlist? language=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> ----------------------------------------------------------------------

Comment By: Tokio Kikuchi (tkikuchi) Date: 2003-02-04 06:20

Message: Logged In: YES user_id=67709 I think this can be closed now. ---------------------------------------------------------------------- Comment By: Barry A. Warsaw (bwarsaw) Date: 2003-01-26 21:33 Message: Logged In: YES user_id=12800 Very good. Here's the patch I intend to commit and advertise as a fix for the cross-site scripting bug. This additionally fixes a crash when the language cgi variable is deliberately given a bogus value. ---------------------------------------------------------------------- Comment By: Tokio Kikuchi (tkikuchi) Date: 2003-01-26 04:17 Message: Logged In: YES user_id=67709 Please review my second patch. It use Utils.ValidateEmail() and return immediately if the input string is insecure. Also, websafe(user) again to secure the final output. Note that the Exapmle is circulated in bugtraq ---------------------------------------------------------------------- Comment By: Barry A. Warsaw (bwarsaw) Date: 2003-01-25 15:24 Message: Logged In: YES user_id=12800 Please try this more comprehensive fix. If it looks good, I will issue a security patch later today. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=674553&group_id=103