0013.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
  
SA0013 - Public Advisory  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
+++++ Mailman 2.1.8 Multiple Security Issues +++++  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
  
PUBLISHED ON  
Sep 13, 2006  
  
  
PUBLISHED AT  
http://moritz-naumann.com/adv/0013/mailmanmulti/0013.txt  
http://moritz-naumann.com/adv/0013/mailmanmulti/0013.txt.sig  
  
  
PUBLISHED BY  
Moritz Naumann IT Consulting & Services  
Hamburg, Germany  
http://moritz-naumann.com/  
  
security AT moritz HYPHON naumann D0T com  
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc  
  
  
AFFECTED APPLICATION OR SERVICE  
Mailman  
http://mailman.sf.net  
  
Mailman is a mailing list server. It comes with a web based  
management interface, built-in archiving, automatic bounce  
processing, content filtering, digest delivery, spam filters,  
and more. It is a Free Software (GPL).  
  
  
AFFECTED VERSIONS  
Versions 2.1.0 up to and including 2.1.8.  
Earlier versions may be affected, too.  
  
  
ISSUES  
Mailman is subject to multiple security vulnerabilities,  
ranging from cross site scripting to log file injection.  
  
+++++ 1. Cross Site Scripting (CVE-2006-3636)  
  
Vulnerable versions of the application are subject to a XSS  
vulnerability in several functions and several parameters  
in the mailing list administration area of the web  
interface. An attacker may inject arbitrary client side  
script code into several parameters through HTTP GET and  
POST method requests. Some of the injections will result  
in persistent injection of malicious scripting code.  
  
To exploit these issues, prior successful authentication  
of the victim IS required. As such, only users who have a  
valid cookie for a specific mailing list stored in their  
client (including administrators who do not make use of the  
logout function) are vulnerable to this.  
  
The following partial URLs demonstrate some of the issues:  
  
[BaseURI]/mailman/admin/mailman/members?findmember=%22%3E%3Cscript%3Ealert(0)%3B%3C/script%3E%3Cx%20y=%22  
[BaseURI]/mailman/edithtml/tests/listinfo.html?html_code=<h1>XSS%20demo</h1><scripT>alert(0)%3B</scripT>  
  
  
+++++ 2. Log file injection  
The application is subject to a log injection vulnerability.  
  
By injecting CRLF sequences followed by fake time stamps,  
an attacker may inject additional lines into the log files  
created by the application.  
  
The following partial URL demonstrates this issue:  
  
[BaseURI]/mailman/listinfo/doesntexist%22:%0D%0AJun%2012%2018:22:08%202033%20mailmanctl(24851):%20%22Your%20Mailman%20license%20has%20expired.%20Please%20obtain%20an%20upgrade%20at%20www.phishme.site  
  
This will result in a message similar to the following to  
be written into /var/log/mailman/error.log:  
  
Jun 11 18:50:43 2006 (32743) No such list "doesntexist":  
jun 12 18:22:08 2033 mailmanctl(24851): "your mailman license  
has expired. please obtain an upgrade at www.phishme.site"  
  
  
  
BACKGROUND  
  
Cross Site Scripting (XSS):  
Cross Site Scripting, also known as XSS or CSS, describes  
the injection of malicious content into output produced  
by a web application. A common attack vector is the  
inclusion of arbitrary client side script code into the  
applications' output. Failure to completely sanitize user  
input from malicious content can cause a web application  
to be vulnerable to Cross Site Scripting.  
  
http://www.owasp.org/index.php/Cross_site_scripting  
http://www.cgisecurity.net/articles/xss-faq.shtml  
  
Log Injection  
Log injection describes the manipulation of log files as  
generated by an application or service in a way which is  
not originally intended by the programmers. An attacker  
may exploit this vulnerability to hide an ongoing attack  
or to trick the administrator of the target system into  
taking actions s/he would not otherwise take.  
  
http://www.owasp.org/index.php/Log_injection  
  
  
WORKAROUNDS  
Issue 1:  
Client: Disable Javascript.  
Server: Prevent access to web administration interface.  
Issue 2:  
Client: N/A.  
Server: Ignore all lower case log lines.  
  
  
SOLUTIONS  
The Mailman developers have released version 2.1.9 yesterday.  
This is supposed to fix all of the above issues. The updated  
packages are available at  
  
http://sf.net/project/showfiles.php?group_id=103&package_id=69562&release_id=447065  
  
  
REFERENCES  
Developer Release Announcement  
  
http://mail.python.org/pipermail/mailman-announce/2006-September/000087.html  
Mailman 2.1.9 Release Notes  
http://sf.net/project/shownotes.php?group_id=103&release_id=447065  
  
  
ADDITIONAL CREDIT  
N/A  
  
  
LICENSE  
Creative Commons Attribution-ShareAlike License Germany  
http://creativecommons.org/licenses/by-sa/2.0/de/  
  
  
  
  
  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.5 (GNU/Linux)  
  
iD8DBQFFCJqNn6GkvSd/BgwRAqbAAJ9ZLJulLPR8J0z02sCPQphr4YFGlACfR4h5  
Y3b1TokfGg6CGYY1fr+C3vI=  
=MYVB  
-----END PGP SIGNATURE-----  
  
`