[Bug 1884752] [NEW] Brute forcing to match the admin list at www.example.com//mailman/edithtml/tests/listinfo.html?html_code=XSS%20demo
*** This bug is a security vulnerability ***
Private security bug reported:
The brute forcing technique can be implemented to surpass the error message stating no such list tests. Such a address can exploit users data: www.example.com//mailman/edithtml/tests/listinfo.html?html_code=XSS%20demo
** Affects: mailman Importance: Undecided Status: New
I don't understand the issue. If I go to https://example.com/mailman//edithtml/tests/listinfo.html?html_code=XSS%20de... (replacing 'example.com' with a real mailman server) I get a response "No such list tests". The query fragment "html_code=XSS%20demo" is apparently ignored. Please explain in more detail what the issue is and the steps to exploit it so I can understand it.
What if you find the right name of the list that exist on the server through brute forcing.
OK. So by brute force attempts, trying multiple possibilities for the list name, you can discover an actual list name on the site, assuming that there are no public lists and merely visiting https://example.com/mailman/listinfo doesn't give you any list names.
So now you have a valid list name, and you go to https://example.com/mailman/edithtml/valid_list/listinfo.html?html_code=XSS%... - you still have to authenticate with the list admin password in order for the update to succeed. I don't see a real issue here as long as the list admin password is secure.
In addition to the above, assuming you get past the authentication issue, there is also a CSRF token that needs to be returned along with the html_code setting to protect against cross site request forgery. I don't think there is any way this attack can succeed.
participants (2)
-
Kamran Hasan -
Mark Sapiro