[Mailman-Developers] Fix for cross-site scripting bug in Mailman 2.1.0

Tokio Kikuchi tkikuchi at is.kochi-u.ac.jp
Mon Jan 27 14:17:14 EST 2003


I forgot to realize language part of the bugtraq report!
There are also language=<...> bug in listinfo.py, roster.py
and subscribe.py. Is this bug in the error reporting function
of python cgilib? Better to correct the library I suppose.

Sorry but I have no time to generate patch now.

Barry A. Warsaw wrote:
> The cross-site scripting bug in Mailman 2.1.0 that was reported on
> Bugtraq has been fixed.  My thanks to all who reported this (except
> unfortunately the person who posted it to bugtraq before contacting me
> first. :/ ).  Special thanks to Tokio Kikuchi who worked out the
> essential fix.
> The patch is at:
>     http://sourceforge.net/project/showfiles.php?group_id=103
> (see the file xss-2.1.0-patch.txt)
> And the original Bugtraq announcement is here:
>     http://online.securityfocus.com/archive/1/308154
> This patch will be part of Mailman 2.1.1 which is nearing release.
> -Barry
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers

Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp

More information about the Mailman-Developers mailing list