New subject: [Bug 1913241] Re: A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.

26 Jan 2021

      *** This bug is a security vulnerability ***
Private security bug reported:
A URL with a very long text listname such as
https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phish...
will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
This issue was discovered by Abderrahmane Sahnoun x.virusdz0@gmail.com.
same as CVE-2018-13796
** Affects: mailman
     Importance: Undecided
     Assignee: Abderrahmane Sahnoun (xvirusdz)
         Status: New
** Changed in: mailman
     Assignee: (unassigned) => Abderrahmane Sahnoun (xvirusdz)
** Description changed:
hi team,
  im Abderrahmane Sahnoun Algerian Security Researcher when i was exploring your website i have found a bug witch done the possibility to A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site in GNU Mailman 2.1.33.
  it's the same like CVE-2018-13796
  here a example of it:
- https://homewalkers.net/mailman/roster/wassim   
+ https://homewalkers.net/mailman/roster/type_any_thing_here
  I await your reply at the earliest time
  Sincerely;
** Description changed:
- hi team,
- im Abderrahmane Sahnoun Algerian Security Researcher when i was exploring your website i have found a bug witch done the possibility to A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site in GNU Mailman 2.1.33.
- it's the same like CVE-2018-13796
- here a example of it:
- https://homewalkers.net/mailman/roster/type_any_thing_here
- I await your reply at the earliest time
- Sincerely;
+ A URL with a very long text listname such as
+ https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phish...
+ will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
+ 
+ This issue was discovered by Abderrahmane Sahnoun
+ x.virusdz0@gmail.com.
** Changed in: mailman
     Assignee: Abderrahmane Sahnoun (xvirusdz) => (unassigned)
** Description changed:
A URL with a very long text listname such as
  https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phish...
  will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
- This issue was discovered by Abderrahmane Sahnoun
- x.virusdz0@gmail.com.
+ This issue was discovered by Abderrahmane Sahnoun x.virusdz0@gmail.com.
+ same as CVE-2018-13796
** Changed in: mailman
     Assignee: (unassigned) => Abderrahmane Sahnoun (xvirusdz)
-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1913241

Title:
  A crafted URL can cause arbitrary text to be displayed on a web page
  from a trusted site.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1913241/+subscriptions

[Bug 1913241] [NEW] A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.

Abderrahmane Sahnoun

Mark Sapiro

tags

participants (2)