Startseite Themen Datenschutzgerechte Konfiguration von E-Mail, SMTP und Co. Datenschutzkonforme Konfiguration von Mailinglisten Technische Hinweise zu Mailinglisten Mailman Cross-Site Scripting and Weak Password Generation 
[Druckversion: HTML ]
Benutzer:
Gast

Valid XHTML 1.0 Transitional

Mailman Cross-Site Scripting and Weak Password Generation

Stand: 21.01.2010

Datum: 12.01.2005
Software: Mailman 2.x

Provided and/or discovered by
(1) Florian Weimer
(2) ZENDAS

Description:

Zugriff: Die ganze Welt

A vulnerability and a weakness have been reported in Mailman, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially brute force a user's password.

1) Input is not properly sanitised by "scripts/driver" when returning error pages. This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of a vulnerable site by tricking a user into visiting a malicious web site or follow a specially crafted link.

2) A weakness in the algorithm of the automatic password generation causes only about five million different passwords to be generated. This makes it easier to brute force automatically generated passwords.

Solution:

Zugriff: Die ganze Welt

1) Filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities.
2) Choose a strong password for subscriptions, instead of letting Mailman generate one.

Weiterführende Seiten zu den Themen:
Copyright 2018 by ZENDAS ..