Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14273
HistorySep 14, 2006 - 12:00 a.m.

Mailman 2.1.8 Multiple Security Issues

2006-09-1400:00:00
vulners.com
29

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SA0013 - Public Advisory

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ Mailman 2.1.8 Multiple Security Issues +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PUBLISHED ON
Sep 13, 2006

PUBLISHED AT
http://moritz-naumann.com/adv/0013/mailmanmulti/0013.txt
http://moritz-naumann.com/adv/0013/mailmanmulti/0013.txt.sig

PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg, Germany
http://moritz-naumann.com/

security AT moritz HYPHON naumann D0T com
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc

AFFECTED APPLICATION OR SERVICE
Mailman
http://mailman.sf.net

Mailman is a mailing list server. It comes with a web based
management interface, built-in archiving, automatic bounce
processing, content filtering, digest delivery, spam filters,
and more. It is a Free Software (GPL).

AFFECTED VERSIONS
Versions 2.1.0 up to and including 2.1.8.
Earlier versions may be affected, too.

ISSUES
Mailman is subject to multiple security vulnerabilities,
ranging from cross site scripting to log file injection.

+++++ 1. Cross Site Scripting (CVE-2006-3636)

Vulnerable versions of the application are subject to a XSS
vulnerability in several functions and several parameters
in the mailing list administration area of the web
interface. An attacker may inject arbitrary client side
script code into several parameters through HTTP GET and
POST method requests. Some of the injections will result
in persistent injection of malicious scripting code.

To exploit these issues, prior successful authentication
of the victim IS required. As such, only users who have a
valid cookie for a specific mailing list stored in their
client (including administrators who do not make use of the
logout function) are vulnerable to this.

The following partial URLs demonstrate some of the issues:

[BaseURI]/mailman/admin/mailman/members?findmember=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%3E%3Cx%20y=%22
[BaseURI]/mailman/edithtml/tests/listinfo.html?html_code=<h1>XSS%20demo</h1><scripT>alert(0)%3B</scripT>

+++++ 2. Log file injection
The application is subject to a log injection vulnerability.

By injecting CRLF sequences followed by fake time stamps,
an attacker may inject additional lines into the log files
created by the application.

The following partial URL demonstrates this issue:

[BaseURI]/mailman/listinfo/doesntexist%22:%0D%0AJun%2012%2018:22:08%202033%20mailmanctl(24851):%20%22Your%20Mailman%20license%20has%20expired.%20Please%20obtain%20an%20upgrade%20at%20www.phishme.site

This will result in a message similar to the following to
be written into /var/log/mailman/error.log:

Jun 11 18:50:43 2006 (32743) No such list "doesntexist":
jun 12 18:22:08 2033 mailmanctl(24851): "your mailman license
has expired. please obtain an upgrade at www.phishme.site"

BACKGROUND

Cross Site Scripting (XSS):
Cross Site Scripting, also known as XSS or CSS, describes
the injection of malicious content into output produced
by a web application. A common attack vector is the
inclusion of arbitrary client side script code into the
applications' output. Failure to completely sanitize user
input from malicious content can cause a web application
to be vulnerable to Cross Site Scripting.

http://www.owasp.org/index.php/Cross_site_scripting
http://www.cgisecurity.net/articles/xss-faq.shtml

Log Injection
Log injection describes the manipulation of log files as
generated by an application or service in a way which is
not originally intended by the programmers. An attacker
may exploit this vulnerability to hide an ongoing attack
or to trick the administrator of the target system into
taking actions s/he would not otherwise take.

http://www.owasp.org/index.php/Log_injection

WORKAROUNDS
Issue 1:
Client: Disable Javascript.
Server: Prevent access to web administration interface.
Issue 2:
Client: N/A.
Server: Ignore all lower case log lines.

SOLUTIONS
The Mailman developers have released version 2.1.9 yesterday.
This is supposed to fix all of the above issues. The updated
packages are available at

http://sf.net/project/showfiles.php?group_id=103&amp;package_id=69562&amp;release_id=447065

REFERENCES
Developer Release Announcement

http://mail.python.org/pipermail/mailman-announce/2006-September/000087.html
Mailman 2.1.9 Release Notes
http://sf.net/project/shownotes.php?group_id=103&amp;release_id=447065

ADDITIONAL CREDIT
N/A

LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFCJqNn6GkvSd/BgwRAqbAAJ9ZLJulLPR8J0z02sCPQphr4YFGlACfR4h5
Y3b1TokfGg6CGYY1fr+C3vI=
=MYVB
-----END PGP SIGNATURE-----