[Owasp-leaders] Mailman script insertion vulnerabilities
namn at bluemoon.com.vn
Thu Feb 24 04:31:51 EST 2011
This looks like a very limited vulnerability in view of exploitation.
On Thu, 24 Feb 2011 06:05:52 -0300
Magno Logan <magno.logan at owasp.org> wrote:
> Source: http://www.net-security.org/secworld.php?id=10640
> "Some vulnerabilities have been reported in Mailman, which can be exploited
> by malicious users to conduct script insertion attacks, according to
> Input passed via the "full name" is not properly sanitised before being used
> in the "Confirm unsubscription request", "Confirm change of email address
> request", and "Re-enable mailing list membership" pages.
> This can be exploited to insert arbitrary HTML and script code, which will
> be executed in a user's browser session in context of an affected site when
> the malicious data is being viewed.
> The vulnerabilities are reported in version 2.1.14. Other versions may also
> be affected.
> A patch is available."
> The mailman from my chapter is version 2.1.8. Don't know if everyone has the
> same version. But since my version is older than the one affected, I guess
> we all are too. Shouldn't we update?
> English: http://www.debian.org/security/2011/dsa-2170
> Portuguese: http://blog.alexos.com.br/?p=2285&lang=pt-br
> Magno (Logan) Rodrigues
> OWASP Paraiba - Chapter Leader <http://www.owasp.org/index.php/Paraiba>
> Twitter: @magnologan <http://www.twitter.com/magnologan>
Nam Nguyen, CISA, CISSP, CSSLP
Blue Moon Consulting Co., Ltd
More information about the OWASP-Leaders