Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: office (office_at_office.ac)
Date: Wed Jul 24 2002 - 03:03:30 CDT
Mailman: cross-site scripting bug
Affected Version: 2.0.11 and under it
Vendor's URL: http://www.gnu.org/software/mailman/
Solution: Use fixed version 2.0.12 or later
Mailman is software to help manage electronic mail discussion lists, much
like Majordomo or Smartmail. And Mailman have web interface system.
This is simple example for version 2.0.10:
You can recognize the vulnerability with this type of URL;
and that prove that any (malicious) script code is possible on web
interface part of Mailman.
For example, if you access to this URL with Internet Explorer (other
browser is not affected by the URL), the page figure is similar to
real one, but the password of admin you enter and submit are send
to another malicious site (http://www.office.ac/). This URL are valid for version 2.0.10.
And Mailman 2.0.11 still have vulnerabilities, if you access to these
URL with Internet Explorer (other browser is not affected by these
URL), your information in cookie about the mailman_site could be
send another malicious site (http://www.office.ac/).