[Bug 1780874] [NEW] Arbitrary text injection vulnerability in Mailman CGIs

Mark Sapiro mark at msapiro.net
Mon Jul 9 19:16:13 EDT 2018


*** This bug is a security vulnerability ***

Private security bug reported:

A URL with a very long text listname such as

http://www.example.com/mailman/listinfo/This_is_a_long_string_with_some_phishing_text

will echo the text in the "No such list" error response. This can be
used to make a potential victim think the phishing text comes from a
trusted site.

** Affects: mailman
     Importance: Low
     Assignee: Mark Sapiro (msapiro)
         Status: In Progress

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1780874

Title:
  Arbitrary text injection vulnerability in Mailman CGIs

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1780874/+subscriptions


More information about the Mailman-coders mailing list