Gentoo Bug 77524 - net-mail/mailman: [CAN-2004-1177] cross-site scripting in scripts/driver

Description:

Opened: 2005-01-11 07:57 0000

mailman vulnerabilities
CAN-2004-1177, http://bugs.debian.org/285839


Details follow:

Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page.


Important note:

There is currently another known vulnerability: when an user
subscribes to a mailing list without choosing a password, mailman
automatically generates one. However, there are only about 5 million
different possible passwords which allows brute force attacks.

A different password generation algorithm already exists, but is
currently too immature to be put into a stable release security
update. Therefore it is advisable to always explicitly choose a
password for subscriptions

------- Comment #1 From Thierry Carrez (RETIRED) 2005-01-11 07:58:46 0000 -------

*** Bug 74459 has been marked as a duplicate of this bug. ***

------- Comment #2 From Tuan Van (RETIRED) 2005-01-11 09:25:13 0000 -------

our mailman doesn't have 55_options_traceback.dpatch apply.

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-01-13 09:56:19 0000 -------

The mentioned 55_options_traceback.dpatch in the debian bug report appears
unrelated to the reported issue. Updated URI with Ubuntu bug report.

------- Comment #4 From Sune Kloppenborg Jeppesen 2005-01-13 22:15:51 0000 -------

Upstream fix is located here:

http://cvs.sourceforge.net/viewcvs.py/mailman/mailman/scripts/driver?r1=2.6.2.1&r2=2.6.2.2&only_with_tag=Release_2_1-maint

And ChangeLog says:
Close a potential cross-site scripting hole, discovered by Florian Weimer.
Initial patch provided by Florian, modified by Barry.

Also, turn STEALTH_MODE on by default.  Most sites won't change this value
from its default, so we might as well use the more secure option.  Also, if
STEALTH_MODE is turned off, but the websafe() function can't be imported, turn
STEALTH_MODE back on.

------- Comment #5 From Thierry Carrez (RETIRED) 2005-01-15 13:12:07 0000 -------

net-mail herd: please check and apply patch from comment #4.

------- Comment #7 From Sune Kloppenborg Jeppesen 2005-01-16 05:10:30 0000 -------

Thx Tuan.

Arches please mark mailman-2.1.5-r3 stable.

------- Comment #10 From Thierry Carrez (RETIRED) 2005-01-19 01:47:27 0000 -------

I would say this needs a GLSA, because list administration apps are quite
accessible and make worthy targets. Furthermore we can do the same as Ubuntu
and issue a small warning about the relative autopassword weakness issue (even
if it's not worth a vulnerability by itself).

------- Comment #11 From Sune Kloppenborg Jeppesen 2005-01-19 01:56:56 0000 -------

I vote for GLSA on this one too, Mailman is pretty widespread.

Bug 77524 depends on:			Show dependency tree
Bug 77524 blocks:			Show dependency tree

Bugzilla Bug 77524

net-mail/mailman: [CAN-2004-1177] cross-site scripting in scripts/driver

Last modified: 2005-01-21 16:04:36 0000