From zeno@cgisecurity.net Fri Jan 11 12:56:26 2002 From: zeno To: bugs@securitytracker.com, bugtraq@securityfocus.com, vuln-dev@securityfocus.com, vulnwatch@vulnwatch.org Date: Fri, 11 Jan 2002 01:46:37 -0800 (PST) Subject: [VulnWatch] Cgisecurity.com Advisory #7: Mailman Email Archive Cross Site Scripting Hello, This isn't a major threat or anything but this product does allow cross site scripting. >From the list of sites below as examples you get an idea of just how popular this product is. http://www1.dshield.org/mailman/listinfo/ http://mail.gnu.org/mailman/listinfo/ http://lists.bell-labs.com/mailman/listinfo/ http://mail.gnome.org/mailman/listinfo/ http://www.lists.apple.com/mailman/listinfo/ Patching information is included within the advisory. - zeno PS: advisory can also be located at http://www.cgisecurity.org/advisory/7.txt [ Cgi Security Advisory #7 ] admin@cgisecurity.com Mailman Email archiver Cross Site Scripting Hole Found November 2001 Public Release Sometime in November 2001 Vendor Contacted November 2001 Scripts Effected: Mailman Email Archiver Price: Free Versions: All Versions appear to be effected Platforms: Unix, Linux, Other? Vendor: http://sourceforge.net/projects/mailman 1. Problem This product is affected by a Cross Site Scripting hole, which may allow an attacker to trick a user into thinking something the attacker wrote actually came from the site that is effected. This involves some social engineering to a point but could possibly allow gathering of user information and other types of fraud. http://host/mailman/listinfo/ This will gladly show you a pop up javascript box. 2. Fixes The vendor has been notified of the problem, Upgrade to version 2.0.8 in order to fix this problem. TarBalls http://sourceforge.net/project/showfiles.php?group_id=103 Published to the Public November 2001 Copyright November 2001 Cgisecurity.com