Mailman Cross-Site Scripting and Weak Password Generation

Stand: 21.01.2010

Datum: 12.01.2005
Software: Mailman 2.x

Provided and/or discovered by
(1) Florian Weimer


Zugriff: Die ganze Welt

A vulnerability and a weakness have been reported in Mailman, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially brute force a user's password.

1) Input is not properly sanitised by "scripts/driver" when returning error pages. This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of a vulnerable site by tricking a user into visiting a malicious web site or follow a specially crafted link.

2) A weakness in the algorithm of the automatic password generation causes only about five million different passwords to be generated. This makes it easier to brute force automatically generated passwords.


Zugriff: Die ganze Welt

1) Filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities.
2) Choose a strong password for subscriptions, instead of letting Mailman generate one.

Zurück zur Übersicht mehr infos
Copyright 2021 by ZENDAS ..