SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Mailman Vendors:   GNU [multiple authors]
Mailman Input Validation Error in 'scripts/driver' Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013494
SecurityTracker URL:  http://securitytracker.com/id/1013494
CVE Reference:   CVE-2004-1177   (Links to External Site)
Updated:  Mar 28 2005
Original Entry Date:  Mar 21 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.15 and prior versions
Description:   An input validation vulnerability was reported in Mailman when processing error messages. A remote user can conduct cross-site scripting attacks.

The 'scripts/driver' code does not properly escape the <>& characters from environment variables when printing an error message. A remote user can create a specially crafted URL (designed to trigger a Mailman error) that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Mailman software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Florian Weimer reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Mailman software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   A fix is available via CVS at:

http://sourceforge.net/cvs/?group_id=103

Vendor URL:  mailman.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 21 2005 (Red Hat Issues Fix) Mailman Input Validation Error in 'scripts/driver' Lets Remote Users Conduct Cross-Site Scripting Attacks
Red Hat has released a fix.



 Source Message Contents

Subject:  [CVE-2004-1177] cross-site scripting in scripts/driver


scripts/driver does not properly escape the <>& characters when it
prints the environment once an error is detected.

A fix has been committed to the Mailman CVS repository.  My patch for
this issue is attached below.

(I'm not sure if woody is affected or not.)

diff -urNad mailman-2.1.5/scripts/driver /tmp/dpep.mzDE9X/mailman-2.1.5/scripts/driver
--- mailman-2.1.5/scripts/driver	2004-12-22 14:41:22.000000000 +0100
+++ /tmp/dpep.mzDE9X/mailman-2.1.5/scripts/driver	2004-12-22 14:41:22.000000000 +0100
@@ -30,6 +30,9 @@
 # printed in the error logs.
 STEALTH_MODE = 0
 
+# This will be set to the entity escaper.
+escape = None
+
 
 
 # This standard driver script is used to run CGI programs, wrapped in code
@@ -57,6 +60,19 @@
     # creation of the real logger below fails, we can still get
     # *something* meaningful.
     logger = None
+
+    # We need the entity escaper if we want to run in non-stealth
+    # mode.
+    global STEALTH_MODE, escape
+    try:
+        if not STEALTH_MODE:
+            import xml.sax.saxutils
+            escape = xml.sax.saxutils.escape
+    finally:
+        pass
+    if escape is None:
+        STEALTH_MODE = 1
+
     try:
         import paths
         # Map stderr to a logger, if possible.
@@ -150,10 +166,12 @@
 
 <h4>Traceback:</h4><p><pre>'''
         if traceback:
-            traceback.print_exc(file=sys.stdout)
+            for line in traceback.format_exception(sys.exc_type, sys.exc_value, sys.exc_traceback):
+                print escape(line),
+
         else:
             print '[failed to import module traceback]'
-            print '[exc: %s, var: %s]' % sys.exc_info()[0:2]
+            print '[exc: %s, var: %s]' % map(escape, sys.exc_info()[0:2])
         print '\n\n</pre></body>'
     else:
         print '''<p>Please inform the webmaster for this site of this
@@ -221,7 +239,7 @@
 '''
         if os:
             for k, v in os.environ.items():
-                print '<tr><td><tt>', k, '</tt></td><td>', v, '</td></tr>'
+                print '<tr><td><tt>', escape(k), '</tt></td><td>', escape(v), '</td></tr>'
             print '</table>'
         else:
             print '<p><hr>[failed to import module os]'
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC