CSRF protection needs to be extended to the user options page

Bug #1614841 reported by Mark Sapiro on 2016-08-19
This bug affects 2 people
Affects Status Importance Assigned to Milestone
GNU Mailman
Mark Sapiro

Bug Description

There is a possibility of a CSRF attack via the user options page which could allow an attacker to discover a user's password. Reported by Nishant Agarwala.

Related branches

CVE References

Mark Sapiro (msapiro) wrote :

CVE-2016-6893 has been assigned for this issue.

Mark Sapiro (msapiro) on 2016-08-21
description: updated
Mike Cave (mcave) wrote :

What versions does this bug effect?

Mark Sapiro (msapiro) wrote :

> What versions?

All Mailman 2.1.x prior to 2.1.23. However, versions older than 2.1.15 are also vulnerable to CSRF attacks on the admin web interface.

Mark Sapiro (msapiro) on 2016-08-27
Changed in mailman:
status: In Progress → Fix Released
Mark Sapiro (msapiro) wrote :

A patch to fix this which is applicable to Mailman >= 2.1.15 and <= 2.1.22 is attached here. This fix has also been released as part of Mailman 2.1.23.

Mark Sapiro (msapiro) wrote :

The patch attached at https://bugs.launchpad.net/mailman/+bug/1614841/comments/4 may look garbled if opened in your browser, but the downloaded file should be OK.

Re Comment #3 it appears this has triggered a new CVE-2016-7123 to be issued just based on this one line that Mark Sapiro wrote with no other confirmation than this launchpad bug #1614841, but I wonder if the latter CVE (CVE-2016-7123) is a duplicate of the old CVE-2011-0707, or a new separate issue. Haven't been able to find relevant information so far, and people are also wondering and reporting this elsewhere. <https://www.cvedetails.com/cve/CVE-2011-0707/>

Related: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212378 <- requesting FreeBSD to list CVE-2016-7123 as a new bug (note that FreeBSD already marked CVE-2016-6893 which covers a wider span of versions).

Mark Sapiro (msapiro) wrote :

CVE-2011-0707 is not related to this CSRF issue. It references an XSS vulnerability that was fixed in Mailman 2.1.15 and so noted in the changelog of that release at https://launchpad.net/mailman/2.1/2.1.15

CVE-2016-7123 is a new CVE that apparently just acknowledging the CSRF vulnerability in the admin interface that exists in Mailman prior to 2.1.15. See https://bugs.launchpad.net/mailman/+bug/775294

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.