[Owasp-leaders] Mailman script insertion vulnerabilities

Magno Logan magno.logan at owasp.org
Thu Feb 24 04:05:52 EST 2011


Source: http://www.net-security.org/secworld.php?id=10640

"Some vulnerabilities have been reported in Mailman, which can be exploited
by malicious users to conduct script insertion attacks, according to
Secunia.

Input passed via the "full name" is not properly sanitised before being used
in the "Confirm unsubscription request", "Confirm change of email address
request", and "Re-enable mailing list membership" pages.

This can be exploited to insert arbitrary HTML and script code, which will
be executed in a user's browser session in context of an affected site when
the malicious data is being viewed.

The vulnerabilities are reported in version 2.1.14. Other versions may also
be affected.

A patch is available."




The mailman from my chapter is version 2.1.8. Don't know if everyone has the
same version. But since my version is older than the one affected, I guess
we all are too. Shouldn't we update?

English: http://www.debian.org/security/2011/dsa-2170

Portuguese: http://blog.alexos.com.br/?p=2285&lang=pt-br


Regards,

-- 
Magno (Logan) Rodrigues
OWASP Paraiba - Chapter Leader <http://www.owasp.org/index.php/Paraiba>
Twitter: @magnologan <http://www.twitter.com/magnologan>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110224/f1d95214/attachment.html 


More information about the OWASP-Leaders mailing list