Unescaped HTML in subject lines
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
High
|
Unassigned |
Bug Description
Currently (in 2.0.x and up to 2.1b2), then the archive
index pages do not escape HTML in the subject lines of
posts. This exposes the possibility of malicious or
annoying list members being able to invoke cross site
javascript on the index pages, or simply corrupt the
archive display by adding HTML fragments (e.g. '<font
size="10"> without a corresponding </font>')
The fix is extremely simple, just edit the
file /home/mailman/
that the function
write_index_entry() (which starts at or near line 882
in v2.06) so that its last
line reads as follows:
print index_entry_
(article.filename),
(subject), article.sequence,
[i.e. add the crucial html_quote() function around the
subject]
Hope that helps,
-Tristan.
[http://
I believe this report is out of date. All known cross-site
scripting attacks have been fixed as of MM2.0.10 and I don't
believe MM2.1b2 is vulnerable. I double checked the code in
each version and indeed both versions make sure to quote any
html in subjects.
Can you please double check the latest versions (2.0.10 and
2.1cvs).