[CAN-2004-1177] cross-site scripting in scripts/driver

Automatically imported from Debian bug report #287555 http://bugs.debian.org/287555

Message-Id: <email address hidden>
Date: Tue, 28 Dec 2004 20:01:22 +0100
From: Florian Weimer <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: [CAN-2004-1177] cross-site scripting in scripts/driver

Package: mailman
Severity: grave
Tags: security patch
Justification: user security hole

scripts/driver does not properly escape the <>& characters when it
prints the environment once an error is detected.

A fix has been committed to the Mailman CVS repository. My patch for
this issue is attached below.

(I'm not sure if woody is affected or not.)

diff -urNad mailman-2.1.5/scripts/driver /tmp/dpep.mzDE9X/mailman-2.1.5/scripts/driver
--- mailman-2.1.5/scripts/driver 2004-12-22 14:41:22.000000000 +0100
+++ /tmp/dpep.mzDE9X/mailman-2.1.5/scripts/driver 2004-12-22 14:41:22.000000000 +0100
@@ -30,6 +30,9 @@
 # printed in the error logs.
 STEALTH_MODE = 0

+# This will be set to the entity escaper.
+escape = None
+

 # This standard driver script is used to run CGI programs, wrapped in code
@@ -57,6 +60,19 @@
     # creation of the real logger below fails, we can still get
     # *something* meaningful.
     logger = None
+
+ # We need the entity escaper if we want to run in non-stealth
+ # mode.
+ global STEALTH_MODE, escape
+ try:
+ if not STEALTH_MODE:
+ import xml.sax.saxutils
+ escape = xml.sax.saxutils.escape
+ finally:
+ pass
+ if escape is None:
+ STEALTH_MODE = 1
+
     try:
         import paths
         # Map stderr to a logger, if possible.
@@ -150,10 +166,12 @@

 <h4>Traceback:</h4><p><pre>'''
         if traceback:
- traceback.print_exc(file=sys.stdout)
+ for line in traceback.format_exception(sys.exc_type, sys.exc_value, sys.exc_traceback):
+ print escape(line),
+
         else:
             print '[failed to import module traceback]'
- print '[exc: %s, var: %s]' % sys.exc_info()[0:2]
+ print '[exc: %s, var: %s]' % map(escape, sys.exc_info()[0:2])
         print '\n\n</pre></body>'
     else:
         print '''<p>Please inform the webmaster for this site of this
@@ -221,7 +239,7 @@
 '''
         if os:
             for k, v in os.environ.items():
- print '<tr><td><tt>', k, '</tt></td><td>', v, '</td></tr>'
+ print '<tr><td><tt>', escape(k), '</tt></td><td>', escape(v), '</td></tr>'
             print '</table>'
         else:
             print '<p><hr>[failed to import module os]'

Fixed in Warty in USN-59-1.

Tollef will prepare a new Sid package soon, this should just be synced to Hoary.

Message-Id: <email address hidden>
Date: Fri, 14 Jan 2005 04:47:08 -0500
From: Tollef Fog Heen <email address hidden>
To: <email address hidden>
Subject: Bug#287555: fixed in mailman 2.1.5-5

Source: mailman
Source-Version: 2.1.5-5

We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive:

mailman_2.1.5-5.diff.gz
  to pool/main/m/mailman/mailman_2.1.5-5.diff.gz
mailman_2.1.5-5.dsc
  to pool/main/m/mailman/mailman_2.1.5-5.dsc
mailman_2.1.5-5_i386.deb
  to pool/main/m/mailman/mailman_2.1.5-5_i386.deb
mailman_2.1.5.orig.tar.gz
  to pool/main/m/mailman/mailman_2.1.5.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tollef Fog Heen <email address hidden> (supplier of updated mailman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 10 Jan 2005 17:12:58 +0100
Source: mailman
Binary: mailman
Architecture: source i386
Version: 2.1.5-5
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <email address hidden>
Changed-By: Tollef Fog Heen <email address hidden>
Description:
 mailman - Powerful, web-based mailing list manager
Closes: 280529 284771 285839 286796 287555
Changes:
 mailman (2.1.5-5) unstable; urgency=high
 .
   * Fix CAN-2004-1143 (weak auto-generated passwords) by pulling the
     appropriate CVS change from upstream. Thanks to Florian Weimer for
     finding and producing a patch for this bug. (closes: #286796)
   * Fix CAN-2004-1177 (CSS problem in scripts/driver) by pulling the
     appropriate patch from upstream CVS. Thanks to Florian Weimer for
     discovering and producing a patch for this bug. (closes: #287555)
   * Handle the case of upgrading from Mailman 2.0 where we have
     pending subscriptions. This should hopefully fix #280529. Thanks to
     Bastian Kleinedam for the patch. (closes: #280529)
   * Skip directories when updating templates, to make the life easier for
     people who have their configuration in Subversion or Arch.
     (closes: #284771)
   * Remove 55_options_traceback.dpatch as this problem seems to have been
     fixed upstream and it causes other problems. (closes: #285839)
Files:
 211e90f80573d909d805e2b9d40dd21e 640 mail optional mailman_2.1.5-5.dsc
 f5f56f04747cd4aff67427e7a45631af 5745912 mail optional mailman_2.1.5.orig.tar.gz
 7c0131c39ae93621120673b94cde9be7 174358 mail optional mailman_2.1.5-5.diff.gz
 997fd482d1a92d751c132a449d150fc9 6607802 mail optional mailman_2.1.5-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB55BlQSseMYF6mWoRAkzVAKDa2oVG7RsLLZ/P2rUFQj2pkporAwCaA+t/
6oqxdXJcck5pDz8V85oMpPw=
=af3J
-----END PGP SIGNATURE-----

(In reply to comment #2)
> Fixed in Warty in USN-59-1.
>
> Tollef will prepare a new Sid package soon, this should just be synced to Hoary.

Hoary sync has just happened, so this bug can be closed.