*** This bug is a security vulnerability ***
Private security bug reported:
A URL with a very long text listname such as
https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phish...
will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
This issue was discovered by Abderrahmane Sahnoun .
same as CVE-2018-13796
** Affects: mailman
Importance: Undecided
Assignee: Abderrahmane Sahnoun (xvirusdz)
Status: New
** Changed in: mailman
Assignee: (unassigned) => Abderrahmane Sahnoun (xvirusdz)
** Description changed:
hi team,
im Abderrahmane Sahnoun Algerian Security Researcher when i was exploring your website i have found a bug witch done the possibility to A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site in GNU Mailman 2.1.33.
it's the same like CVE-2018-13796
here a example of it:
- https://homewalkers.net/mailman/roster/wassim
+ https://homewalkers.net/mailman/roster/type_any_thing_here
I await your reply at the earliest time
Sincerely;
** Description changed:
- hi team,
- im Abderrahmane Sahnoun Algerian Security Researcher when i was exploring your website i have found a bug witch done the possibility to A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site in GNU Mailman 2.1.33.
- it's the same like CVE-2018-13796
- here a example of it:
- https://homewalkers.net/mailman/roster/type_any_thing_here
- I await your reply at the earliest time
- Sincerely;
+ A URL with a very long text listname such as
+ https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phish...
+ will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
+
+ This issue was discovered by Abderrahmane Sahnoun
+ .
** Changed in: mailman
Assignee: Abderrahmane Sahnoun (xvirusdz) => (unassigned)
** Description changed:
A URL with a very long text listname such as
https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phish...
will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
- This issue was discovered by Abderrahmane Sahnoun
- .
+ This issue was discovered by Abderrahmane Sahnoun .
+ same as CVE-2018-13796
** Changed in: mailman
Assignee: (unassigned) => Abderrahmane Sahnoun (xvirusdz)
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1913241
Title:
A crafted URL can cause arbitrary text to be displayed on a web page
from a trusted site.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1913241/+subscriptions