-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



SA0013 - Public Advisory

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++       Mailman 2.1.8 Multiple Security Issues      +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


PUBLISHED ON
  Sep 13, 2006


PUBLISHED AT
  http://moritz-naumann.com/adv/0013/mailmanmulti/0013.txt
  http://moritz-naumann.com/adv/0013/mailmanmulti/0013.txt.sig


PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg, Germany
  http://moritz-naumann.com/

  security AT moritz HYPHON naumann D0T com
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc


AFFECTED APPLICATION OR SERVICE
  Mailman
  http://mailman.sf.net

  Mailman is a mailing list server. It comes with a web based
  management interface, built-in archiving, automatic bounce
  processing, content filtering, digest delivery, spam filters,
  and more. It is a Free Software (GPL).


AFFECTED VERSIONS
  Versions 2.1.0 up to and including 2.1.8.
  Earlier versions may be affected, too.


ISSUES
  Mailman is subject to multiple security vulnerabilities,
  ranging from cross site scripting to log file injection.

  +++++ 1. Cross Site Scripting (CVE-2006-3636)

  Vulnerable versions of the application are subject to a XSS
  vulnerability in several functions and several parameters
  in the mailing list administration area of the web
  interface. An attacker may inject arbitrary client side
  script code into several parameters through HTTP GET and
  POST method requests. Some of the injections will result
  in persistent injection of malicious scripting code.

  To exploit these issues, prior successful authentication
  of the victim IS required. As such, only users who have a
  valid cookie for a specific mailing list stored in their
  client (including administrators who do not make use of the
  logout function) are vulnerable to this.

  The following partial URLs demonstrate some of the issues:

[BaseURI]/mailman/admin/mailman/members?findmember=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%3E%3Cx%20y=%22
[BaseURI]/mailman/edithtml/tests/listinfo.html?html_code=<h1>XSS%20demo</h1><scripT>alert(0)%3B</scripT>


  +++++ 2. Log file injection
  The application is subject to a log injection vulnerability.

  By injecting CRLF sequences followed by fake time stamps,
  an attacker may inject additional lines into the log files
  created by the application.

  The following partial URL demonstrates this issue:

[BaseURI]/mailman/listinfo/doesntexist%22:%0D%0AJun%2012%2018:22:08%202033%20mailmanctl(24851):%20%22Your%20Mailman%20license%20has%20expired.%20Please%20obtain%20an%20upgrade%20at%20www.phishme.site

  This will result in a message similar to the following to
  be written into /var/log/mailman/error.log:

  Jun 11 18:50:43 2006 (32743) No such list "doesntexist":
  jun 12 18:22:08 2033 mailmanctl(24851): "your mailman license
  has expired. please obtain an upgrade at www.phishme.site"



BACKGROUND

  Cross Site Scripting (XSS):
  Cross Site Scripting, also known as XSS or CSS, describes
  the injection of malicious content into output produced
  by a web application. A common attack vector is the
  inclusion of arbitrary client side script code into the
  applications' output. Failure to completely sanitize user
  input from malicious content can cause a web application
  to be vulnerable to Cross Site Scripting.

  http://www.owasp.org/index.php/Cross_site_scripting
  http://www.cgisecurity.net/articles/xss-faq.shtml

  Log Injection
  Log injection describes the manipulation of log files as
  generated by an application or service in a way which is
  not originally intended by the programmers. An attacker
  may exploit this vulnerability to hide an ongoing attack
  or to trick the administrator of the target system into
  taking actions s/he would not otherwise take.

  http://www.owasp.org/index.php/Log_injection


WORKAROUNDS
  Issue 1:
    Client: Disable Javascript.
    Server: Prevent access to web administration interface.
  Issue 2:
    Client: N/A.
    Server: Ignore all lower case log lines.


SOLUTIONS
  The Mailman developers have released version 2.1.9 yesterday.
  This is supposed to fix all of the above issues. The updated
  packages are available at

http://sf.net/project/showfiles.php?group_id=103&package_id=69562&release_id=447065


REFERENCES
  Developer Release Announcement

http://mail.python.org/pipermail/mailman-announce/2006-September/000087.html
  Mailman 2.1.9 Release Notes
    http://sf.net/project/shownotes.php?group_id=103&release_id=447065


ADDITIONAL CREDIT
  N/A


LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFCJqNn6GkvSd/BgwRAqbAAJ9ZLJulLPR8J0z02sCPQphr4YFGlACfR4h5
Y3b1TokfGg6CGYY1fr+C3vI=
=MYVB
-----END PGP SIGNATURE-----