Re: Mailman: cross-site scripting bug

From: Axel Beckert - ecos gmbh (beckertat_private)
Date: Mon Jan 27 2003 - 12:28:09 PST

Next message: Grégory: "[SCSA-003] Multiple Cross Site Scripting & Script Injection Vulnerabilities in Nuked-Klan"

Previous message: Barry Warsaw: "Re: Mailman: cross-site scripting bug"
In reply to: Leif Sawyer: "RE: Mailman: cross-site scripting bug"
Next in thread: Barry Warsaw: "Re: Mailman: cross-site scripting bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At Fri, Jan 24, 2003 at 12:32:37PM -0900, Leif Sawyer wrote:
> https://workserver//mailman/options/ak3barons?language=<SCRIPT>ale
> rt('Can%20Cross%20Site%20Attack')&lt;/SCRIPT&gt;
> 
> returns:
> 
> <h2>Error</h2><strong>Invalid options to CGI script.</strong>
> 
> 2.0.11 doesn't seem to be vulnerable to this.

Same counts for 2.0.13 on Apache 1.3.27.

            Kind regards, Axel Beckert
-- 
-------------------------------------------------------------
Axel Beckert      ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     beckertat_private         Voice:   +49 6133 939-220
WWW:        http://www.ecos.de/     Fax:     +49 6133 939-111
-------------------------------------------------------------

Next message: Grégory: "[SCSA-003] Multiple Cross Site Scripting & Script Injection Vulnerabilities in Nuked-Klan"
Previous message: Barry Warsaw: "Re: Mailman: cross-site scripting bug"
In reply to: Leif Sawyer: "RE: Mailman: cross-site scripting bug"
Next in thread: Barry Warsaw: "Re: Mailman: cross-site scripting bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 13:18:21 PST