The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mailman Security Vulns

Discussion in 'Security' started by nickp666, Oct 11, 2006.

  1. nickp666

    nickp666 Well-Known Member

    Jan 28, 2005
    Likes Received:
    Trophy Points:

    Vulnerable Systems:
    * Mailman versions 2.1.0 up to and including 2.1.8

    Immune Systems:
    * Mailman version 2.1.9

    Mailman is subject to multiple security vulnerabilities, ranging from cross site scripting to log file injection.

    1. Cross Site Scripting (CVE-2006-3636)
    Vulnerable versions of the application are subject to a XSS vulnerability in several functions and several parameters in the mailing list administration area of the web interface. An attacker may inject arbitrary client side script code into several parameters through HTTP GET and POST method requests. Some of the injections will result in persistent injection of malicious scripting code.

    To exploit these issues, prior successful authentication of the victim IS required. As such, only users who have a valid cookie for a specific mailing list stored in their client (including administrators who do not make use of the logout function) are vulnerable to this.

    The following partial URLs demonstrate some of the issues:
    [BaseURI]/mailman/admin/mailman/members?findmember= %22%3E%3Cscript%3Ealert(0)%3B%3C/script%3E%3Cx%20y=%22
    [BaseURI]/mailman/edithtml/tests/listinfo.html?html_code= <h1>XSS%20demo</h1><scripT>alert(0)%3B</scripT>

    2. Log file injection
    The application is subject to a log injection vulnerability.

    By injecting CRLF sequences followed by fake time stamps, an attacker may inject additional lines into the log files created by the application.

    The following partial URL demonstrates this issue:
    [BaseURI]/mailman/listinfo/doesntexist%22:%0D%0AJun 12%2018:22:08%202033%20mailmanctl(24851):

    This will result in a message similar to the following to be written into /var/log/mailman/error.log:
    Jun 11 18:50:43 2006 (32743) No such list "doesntexist":
    jun 12 18:22:08 2033 mailmanctl(24851): "your mailman license
    has expired. please obtain an upgrade at"

    The Mailman developers have released version 2.1.9 yesterday. This is supposed to fix all of the above issues. The updated packages are available at:

Share This Page