[Mailman-Users] Possible XSS in Mailman 2.1.4

Ho Yin Au hya at bluesite.com
Sat Feb 21 23:35:15 CET 2004


I think I've stumbled on a possible Cross-Site-Scripting vulnerability 
in Mailman 2.1.4.  Take a look:

* Set up a new list and configure it with private archives
* Try to view the archives - enter something like <script 
language="JavaScript">window.alert(document.cookie)</script> into the 
EMail Address box.  Click on "Let me in."

On a side note, is it possible for that page to not reveal any sensitive 
information such as path and environmental variables?

-Ho Yin

More information about the Mailman-Users mailing list