Bug 77524 - net-mail/mailman: [CAN-2004-1177] cross-site scripting in scripts/driver
Bug#: 77524 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: formula7@gentoo.org
Component: Vulnerabilities
URL:  https://bugzilla.ubuntu.com/show_bug.cgi?id=5057
Summary: net-mail/mailman: [CAN-2004-1177] cross-site scripting in scripts/driver
Keywords:  
Status Whiteboard: B4 [glsa] jaervosz
Opened: 2005-01-11 07:57 0000
Description:   Opened: 2005-01-11 07:57 0000 
mailman vulnerabilities
CAN-2004-1177, http://bugs.debian.org/285839


Details follow:

Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page.


Important note:

There is currently another known vulnerability: when an user
subscribes to a mailing list without choosing a password, mailman
automatically generates one. However, there are only about 5 million
different possible passwords which allows brute force attacks.

A different password generation algorithm already exists, but is
currently too immature to be put into a stable release security
update. Therefore it is advisable to always explicitly choose a
password for subscriptions

------- Comment #1 From Thierry Carrez (RETIRED) 2005-01-11 07:58:46 0000 ------- 
*** Bug 74459 has been marked as a duplicate of this bug. ***

------- Comment #2 From Tuan Van (RETIRED) 2005-01-11 09:25:13 0000 ------- 
our mailman doesn't have 55_options_traceback.dpatch apply.

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-01-13 09:56:19 0000 ------- 
The mentioned 55_options_traceback.dpatch in the debian bug report appears
unrelated to the reported issue. Updated URI with Ubuntu bug report.

------- Comment #4 From Sune Kloppenborg Jeppesen 2005-01-13 22:15:51 0000 ------- 
Upstream fix is located here:

http://cvs.sourceforge.net/viewcvs.py/mailman/mailman/scripts/driver?r1=2.6.2.1&r2=2.6.2.2&only_with_tag=Release_2_1-maint

And ChangeLog says:
Close a potential cross-site scripting hole, discovered by Florian Weimer.
Initial patch provided by Florian, modified by Barry.

Also, turn STEALTH_MODE on by default.  Most sites won't change this value
from its default, so we might as well use the more secure option.  Also, if
STEALTH_MODE is turned off, but the websafe() function can't be imported, turn
STEALTH_MODE back on.

------- Comment #5 From Thierry Carrez (RETIRED) 2005-01-15 13:12:07 0000 ------- 
net-mail herd: please check and apply patch from comment #4.

------- Comment #6 From Tuan Van (RETIRED) 2005-01-15 19:22:38 0000 ------- 
ebuild with patch commited.

------- Comment #7 From Sune Kloppenborg Jeppesen 2005-01-16 05:10:30 0000 ------- 
Thx Tuan.

Arches please mark mailman-2.1.5-r3 stable.

------- Comment #8 From Jason Wever (RETIRED) 2005-01-16 13:04:01 0000 ------- 
sparc'd

------- Comment #9 From Tuan Van (RETIRED) 2005-01-16 21:27:55 0000 ------- 
x86 done.

------- Comment #10 From Thierry Carrez (RETIRED) 2005-01-19 01:47:27 0000 ------- 
I would say this needs a GLSA, because list administration apps are quite
accessible and make worthy targets. Furthermore we can do the same as Ubuntu
and issue a small warning about the relative autopassword weakness issue (even
if it's not worth a vulnerability by itself).

------- Comment #11 From Sune Kloppenborg Jeppesen 2005-01-19 01:56:56 0000 ------- 
I vote for GLSA on this one too, Mailman is pretty widespread.

------- Comment #12 From Karol Wojtaszek (RETIRED) 2005-01-19 12:57:41 0000 ------- 
Stable on amd64

------- Comment #13 From Luke Macken (RETIRED) 2005-01-21 16:04:36 0000 ------- 
GLSA 200501-29