--------------------------------------------------------------------------- Cross Site Scripting Vulnerability in Sympa --------------------------------------------------------------------------- Author: Joxean Koret Date: 2004 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sympa Version 4.1.X and prior to version 4.1 Sympa is a rich open source mailing list software. Its design highly focuses on customization possibilities and ease of administration. --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Cross Site Scripting Vulnerability A1. I found a cross site scripting vulnerability in the creation list option. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious code. This would occur in the security context of the site hosting the software. Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible. To test it follow these steps : 1.- Navigate to http:///wws 2.- Login with a valid e-mail and password (or click in the Send me Password option and follow the instructions) 3.- Click on create list option 4.- In the "List Name" field enter the text that you want. 5.- In the "Subject" field enter the subject that you want. 6.- Select your preferred topic 7.- In the description field insert the following text : Whatever_you_want<script>alert("Your cookie is " + document.cookie)</script> 8.- Click on "Submit your creation Request" button. 9.- The list is created. 10.- Now, click on "List Info". You will see your cookie in a javascript "alert" message box The fix: ~~~~~~~~ The vendor is contacted but no fixes are released at the moment. References ~~~~~~~~~~ The bug in the Sympa bugtracking list : http://listes.cru.fr/mantis/view_bug_advanced_page.php?f_id=0000327 The Sympa web site : http://www.sympa.org --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<>>>>es