[Mailman-Developers] Fw: [ham] Mailman: cross-site scripting bug
mjm at michaelmeltzer.com
Fri Jan 24 19:59:00 EST 2003
saw this on bugtraq, figuried it was a good idea to relay here.
----- Original Message -----
From: <webmaster at procheckup.com>
To: <bugtraq at securityfocus.com>
Sent: Friday, January 24, 2003 9:35 AM
Subject: [ham] Mailman: cross-site scripting bug
> Product: Mailman
> Affected Version: 2.1 not other version has been tested
> Vendor's URL: http://www.gnu.org/software/mailman/
> Solution: TBC
> Author: Manuel Rodriguez
> Mailman is software to help manage electronic mail discussion lists, much
> like Majordomo or Smartmail. And Mailman have web interface systems.
> This is a simple example for version 2.1:
> 1) With mailman options the email variable is vulnerable to cross-site
> You can recognise the vulnerabilities with this type of URL:
> and that prove that any (malicious) script code is possible on web
> interface part of Mailman.
> 2) The default error page mailman generates does not adequately filter its
> input making it susceptible to cross-site scripting.
More information about the Mailman-Developers