Well-Known Member
Jan 28, 2005

Vulnerable Systems:
* Mailman versions 2.1.0 up to and including 2.1.8

Immune Systems:
* Mailman version 2.1.9

Mailman is subject to multiple security vulnerabilities, ranging from cross site scripting to log file injection.

1. Cross Site Scripting (CVE-2006-3636)
Vulnerable versions of the application are subject to a XSS vulnerability in several functions and several parameters in the mailing list administration area of the web interface. An attacker may inject arbitrary client side script code into several parameters through HTTP GET and POST method requests. Some of the injections will result in persistent injection of malicious scripting code.

To exploit these issues, prior successful authentication of the victim IS required. As such, only users who have a valid cookie for a specific mailing list stored in their client (including administrators who do not make use of the logout function) are vulnerable to this.

The following partial URLs demonstrate some of the issues:
[BaseURI]/mailman/admin/mailman/members?findmember= %22%3E%3Cscript%3Ealert(0)%3B%3C/script%3E%3Cx%20y=%22
[BaseURI]/mailman/edithtml/tests/listinfo.html?html_code= <h1>XSS%20demo</h1><scripT>alert(0)%3B</scripT>

2. Log file injection
The application is subject to a log injection vulnerability.

By injecting CRLF sequences followed by fake time stamps, an attacker may inject additional lines into the log files created by the application.

The following partial URL demonstrates this issue:
[BaseURI]/mailman/listinfo/doesntexist%22:%0D%0AJun 12%2018:22:08%202033%20mailmanctl(24851):

This will result in a message similar to the following to be written into /var/log/mailman/error.log:
Jun 11 18:50:43 2006 (32743) No such list "doesntexist":
jun 12 18:22:08 2033 mailmanctl(24851): "your mailman license
has expired. please obtain an upgrade at"

The Mailman developers have released version 2.1.9 yesterday. This is supposed to fix all of the above issues. The updated packages are available at: