89038 2003-01-27  21:30  /10 rader/ Barry Warsaw <barry@python.org>
Importerad: 2003-01-27  21:30  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3283>
Ärende: Re: Mailman: cross-site scripting bug
------------------------------------------------------------
In-Reply-To: <20030124143507.32126.qmail@mail.securityfocus.com>

A fix for this has now been posted.  Please see the
xss-2.1.0-patch.txt file referenced here:

http://sourceforge.net/project/showfiles.php?group_id=103

This fix will be part of Mailman 2.1.1 when that
release is ready.
(89038) /Barry Warsaw <barry@python.org>/-----------
89039 2003-01-27  22:18  /23 rader/ Axel Beckert - ecos gmbh <beckert@ecos.de>
Importerad: 2003-01-27  22:18  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3284>
Kommentar till text 88941 av Leif Sawyer <lsawyer@gci.com>
Ärende: Re: Mailman: cross-site scripting bug
------------------------------------------------------------
At Fri, Jan 24, 2003 at 12:32:37PM -0900, Leif Sawyer wrote:
> https://workserver//mailman/options/ak3barons?language=<SCRIPT>ale
> rt('Can%20Cross%20Site%20Attack')</SCRIPT>
> 
> returns:
> 
> <h2>Error</h2><strong>Invalid options to CGI script.</strong>
> 
> 2.0.11 doesn't seem to be vulnerable to this.

Same counts for 2.0.13 on Apache 1.3.27.

            Kind regards, Axel Beckert
-- 
-------------------------------------------------------------
Axel Beckert      ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     beckert@ecos.de         Voice:   +49 6133 939-220
WWW:        http://www.ecos.de/     Fax:     +49 6133 939-111
-------------------------------------------------------------
(89039) /Axel Beckert - ecos gmbh <beckert@ecos.de>/