Potential Privilege escalation via the user options page.

Bug #1947639 reported by Mark Sapiro
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Mark Sapiro

Bug Description

The `csrf_token` generated for the `options` page is always an `admin` token rather than specific to the authenticated user for that session. This admin token contains information that is derived from the hashed list admin password, which could theoretically allow a brute-force attack to obtain the list admin password.

Thanks to Andre Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and helping with the development of a fix.

Related branches

CVE References

Mark Sapiro (msapiro)
summary: - Potential Privilege escallation via the user options page.
+ Potential Privilege escalation via the user options page.
Revision history for this message
Mark Sapiro (msapiro) wrote :
Mark Sapiro (msapiro)
information type: Private Security → Public Security
Changed in mailman:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.