-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SA0013 - Public Advisory +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ Mailman 2.1.8 Multiple Security Issues +++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ PUBLISHED ON Sep 13, 2006 PUBLISHED AT http://moritz-naumann.com/adv/0013/mailmanmulti/0013.txt http://moritz-naumann.com/adv/0013/mailmanmulti/0013.txt.sig PUBLISHED BY Moritz Naumann IT Consulting & Services Hamburg, Germany http://moritz-naumann.com/ security AT moritz HYPHON naumann D0T com GPG key: http://moritz-naumann.com/keys/0x277F060C.asc AFFECTED APPLICATION OR SERVICE Mailman http://mailman.sf.net Mailman is a mailing list server. It comes with a web based management interface, built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more. It is a Free Software (GPL). AFFECTED VERSIONS Versions 2.1.0 up to and including 2.1.8. Earlier versions may be affected, too. ISSUES Mailman is subject to multiple security vulnerabilities, ranging from cross site scripting to log file injection. +++++ 1. Cross Site Scripting (CVE-2006-3636) Vulnerable versions of the application are subject to a XSS vulnerability in several functions and several parameters in the mailing list administration area of the web interface. An attacker may inject arbitrary client side script code into several parameters through HTTP GET and POST method requests. Some of the injections will result in persistent injection of malicious scripting code. To exploit these issues, prior successful authentication of the victim IS required. As such, only users who have a valid cookie for a specific mailing list stored in their client (including administrators who do not make use of the logout function) are vulnerable to this. The following partial URLs demonstrate some of the issues: [BaseURI]/mailman/admin/mailman/members?findmember=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%3E%3Cx%20y=%22 [BaseURI]/mailman/edithtml/tests/listinfo.html?html_code=

XSS%20demo

+++++ 2. Log file injection The application is subject to a log injection vulnerability. By injecting CRLF sequences followed by fake time stamps, an attacker may inject additional lines into the log files created by the application. The following partial URL demonstrates this issue: [BaseURI]/mailman/listinfo/doesntexist%22:%0D%0AJun%2012%2018:22:08%202033%20mailmanctl(24851):%20%22Your%20Mailman%20license%20has%20expired.%20Please%20obtain%20an%20upgrade%20at%20www.phishme.site This will result in a message similar to the following to be written into /var/log/mailman/error.log: Jun 11 18:50:43 2006 (32743) No such list "doesntexist": jun 12 18:22:08 2033 mailmanctl(24851): "your mailman license has expired. please obtain an upgrade at www.phishme.site" BACKGROUND Cross Site Scripting (XSS): Cross Site Scripting, also known as XSS or CSS, describes the injection of malicious content into output produced by a web application. A common attack vector is the inclusion of arbitrary client side script code into the applications' output. Failure to completely sanitize user input from malicious content can cause a web application to be vulnerable to Cross Site Scripting. http://www.owasp.org/index.php/Cross_site_scripting http://www.cgisecurity.net/articles/xss-faq.shtml Log Injection Log injection describes the manipulation of log files as generated by an application or service in a way which is not originally intended by the programmers. An attacker may exploit this vulnerability to hide an ongoing attack or to trick the administrator of the target system into taking actions s/he would not otherwise take. http://www.owasp.org/index.php/Log_injection WORKAROUNDS Issue 1: Client: Disable Javascript. Server: Prevent access to web administration interface. Issue 2: Client: N/A. Server: Ignore all lower case log lines. SOLUTIONS The Mailman developers have released version 2.1.9 yesterday. This is supposed to fix all of the above issues. The updated packages are available at http://sf.net/project/showfiles.php?group_id=103&package_id=69562&release_id=447065 REFERENCES Developer Release Announcement http://mail.python.org/pipermail/mailman-announce/2006-September/000087.html Mailman 2.1.9 Release Notes http://sf.net/project/shownotes.php?group_id=103&release_id=447065 ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License Germany http://creativecommons.org/licenses/by-sa/2.0/de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFCJqNn6GkvSd/BgwRAqbAAJ9ZLJulLPR8J0z02sCPQphr4YFGlACfR4h5 Y3b1TokfGg6CGYY1fr+C3vI= =MYVB -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/