[Mailman-Developers] Fw: [ham] Mailman: cross-site scripting bug

Tokio Kikuchi tkikuchi at is.kochi-u.ac.jp
Sat Jan 25 11:12:43 EST 2003


Looks this is the cause of problem in Cgi/options.py

     # Avoid cross-site scripting attacks
     safeuser = Utils.websafe(user)
     # Sanity check the user, but be careful about leaking membership
     # information when we're using private rosters.
     if not mlist.isMember(user) and mlist.private_roster == 0:
         doc.addError(_('No such member: %(safeuser)s.'))
         loginpage(mlist, doc, None, cgidata)
         print doc.Format()

Pass this check if closed list. ?? should be like this?

     if not mlist.isMember(user):
         if mlist.private_roster:
             safeuser = _('undisclosed')
         doc.addError(_('No such member: %(safeuser)s.')

Michael Meltzer wrote:
> saw this on bugtraq, figuried it was a good idea to relay here.
> ----- Original Message ----- 
> From: <webmaster at procheckup.com>
> To: <bugtraq at securityfocus.com>
> Sent: Friday, January 24, 2003 9:35 AM
> Subject: [ham] Mailman: cross-site scripting bug
>>Product: Mailman
>>Affected Version: 2.1 not other version has been tested
>>Vendor's URL: http://www.gnu.org/software/mailman/
>>Solution: TBC
>>Author: Manuel Rodriguez
>>Mailman is software to help manage electronic mail discussion lists, much 
>>like Majordomo or Smartmail.  And Mailman have web interface systems.
>>This is a simple example for version 2.1:
>>1) With mailman options the email variable is vulnerable to cross-site 
>>You can recognise the vulnerabilities with this type of URL:
>>and that prove that any (malicious) script code is possible on web 
>>interface part of Mailman.
>>2) The default error page mailman generates does not adequately filter its 
>>input making it susceptible to cross-site scripting.
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers

Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp

More information about the Mailman-Developers mailing list