Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Full-disclosure] Mailman 2.1.8 Multiple Security Issues
From: Moritz Naumann (securitymoritz-naumann.com)
Date: Wed Sep 13 2006 - 18:55:57 CDT
-----BEGIN PGP SIGNED MESSAGE-----
SA0013 - Public Advisory
+++++ Mailman 2.1.8 Multiple Security Issues +++++
Sep 13, 2006
Moritz Naumann IT Consulting & Services
security AT moritz HYPHON naumann D0T com
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
AFFECTED APPLICATION OR SERVICE
Mailman is a mailing list server. It comes with a web based
management interface, built-in archiving, automatic bounce
processing, content filtering, digest delivery, spam filters,
and more. It is a Free Software (GPL).
Versions 2.1.0 up to and including 2.1.8.
Earlier versions may be affected, too.
Mailman is subject to multiple security vulnerabilities,
ranging from cross site scripting to log file injection.
+++++ 1. Cross Site Scripting (CVE-2006-3636)
Vulnerable versions of the application are subject to a XSS
vulnerability in several functions and several parameters
in the mailing list administration area of the web
interface. An attacker may inject arbitrary client side
script code into several parameters through HTTP GET and
POST method requests. Some of the injections will result
in persistent injection of malicious scripting code.
To exploit these issues, prior successful authentication
of the victim IS required. As such, only users who have a
valid cookie for a specific mailing list stored in their
client (including administrators who do not make use of the
logout function) are vulnerable to this.
The following partial URLs demonstrate some of the issues:
+++++ 2. Log file injection
The application is subject to a log injection vulnerability.
By injecting CRLF sequences followed by fake time stamps,
an attacker may inject additional lines into the log files
created by the application.
The following partial URL demonstrates this issue:
This will result in a message similar to the following to
be written into /var/log/mailman/error.log:
Jun 11 18:50:43 2006 (32743) No such list "doesntexist":
jun 12 18:22:08 2033 mailmanctl(24851): "your mailman license
has expired. please obtain an upgrade at www.phishme.site"
Cross Site Scripting (XSS):
Cross Site Scripting, also known as XSS or CSS, describes
the injection of malicious content into output produced
by a web application. A common attack vector is the
inclusion of arbitrary client side script code into the
applications' output. Failure to completely sanitize user
input from malicious content can cause a web application
to be vulnerable to Cross Site Scripting.
Log injection describes the manipulation of log files as
generated by an application or service in a way which is
not originally intended by the programmers. An attacker
may exploit this vulnerability to hide an ongoing attack
or to trick the administrator of the target system into
taking actions s/he would not otherwise take.
Server: Prevent access to web administration interface.
Server: Ignore all lower case log lines.
The Mailman developers have released version 2.1.9 yesterday.
This is supposed to fix all of the above issues. The updated
packages are available at
Developer Release Announcement
Mailman 2.1.9 Release Notes
Creative Commons Attribution-ShareAlike License Germany
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/