[Owasp-leaders] Mailman script insertion vulnerabilities

Nam Nguyen namn at bluemoon.com.vn
Thu Feb 24 04:31:51 EST 2011


This looks like a very limited vulnerability in view of exploitation.
Nam

On Thu, 24 Feb 2011 06:05:52 -0300
Magno Logan <magno.logan at owasp.org> wrote:

> Source: http://www.net-security.org/secworld.php?id=10640
> 
> "Some vulnerabilities have been reported in Mailman, which can be exploited
> by malicious users to conduct script insertion attacks, according to
> Secunia.
> 
> Input passed via the "full name" is not properly sanitised before being used
> in the "Confirm unsubscription request", "Confirm change of email address
> request", and "Re-enable mailing list membership" pages.
> 
> This can be exploited to insert arbitrary HTML and script code, which will
> be executed in a user's browser session in context of an affected site when
> the malicious data is being viewed.
> 
> The vulnerabilities are reported in version 2.1.14. Other versions may also
> be affected.
> 
> A patch is available."
> 
> 
> 
> 
> The mailman from my chapter is version 2.1.8. Don't know if everyone has the
> same version. But since my version is older than the one affected, I guess
> we all are too. Shouldn't we update?
> 
> English: http://www.debian.org/security/2011/dsa-2170
> 
> Portuguese: http://blog.alexos.com.br/?p=2285&lang=pt-br
> 
> 
> Regards,
> 
> -- 
> Magno (Logan) Rodrigues
> OWASP Paraiba - Chapter Leader <http://www.owasp.org/index.php/Paraiba>
> Twitter: @magnologan <http://www.twitter.com/magnologan>


-- 
Nam Nguyen, CISA, CISSP, CSSLP
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn


More information about the OWASP-Leaders mailing list