GNU Mailman

Unescaped HTML in subject lines

Bug #265656 reported by Tristan-roddis on 2002-05-20

Affects		Status	Importance	Assigned to	Milestone
	GNU Mailman	Fix Released	High	Unassigned	GNU Mailman 2.0.x

Bug Description

Currently (in 2.0.x and up to 2.1b2), then the archive
index pages do not escape HTML in the subject lines of
posts. This exposes the possibility of malicious or
annoying list members being able to invoke cross site
javascript on the index pages, or simply corrupt the
archive display by adding HTML fragments (e.g. '<font
size="10"> without a corresponding </font>')

The fix is extremely simple, just edit the
file /home/mailman/Mailman/Archiver/HyperArch.py so
that the function
write_index_entry() (which starts at or near line 882
in v2.06) so that its last
line reads as follows:

        print index_entry_template % (urllib.quote
(article.filename),
                                      html_quote
(subject), article.sequence,
                                      author)

[i.e. add the crucial html_quote() function around the
subject]

Hope that helps,

-Tristan.

[http://sourceforge.net/tracker/index.php?func=detail&aid=558208&group_id=103&atid=100103]

Tags:

Revision history for this message

Barry Warsaw (barry) wrote on 2002-05-20:

I believe this report is out of date. All known cross-site
scripting attacks have been fixed as of MM2.0.10 and I don't
believe MM2.1b2 is vulnerable. I double checked the code in
each version and indeed both versions make sure to quote any
html in subjects.

Can you please double check the latest versions (2.0.10 and
2.1cvs).

Revision history for this message

Tristan-roddis (tristan-roddis) wrote on 2002-05-20:

I've just had a look, and the offending line is still there
in the file HyperArch.py for both versions (line number 882
in 2.10, and line 862 from both the mailman2.1b2.tar
archive and the latest CVS). Note that there was never this
problem with the subject lines for each individual article -
it's only the index pages that are missing the HTML
quoting function.

HTH,

-T.

Revision history for this message

Barry Warsaw (barry) wrote on 2002-05-20:

Fixed in MM2.0.11

Revision history for this message

Barry Warsaw (barry) wrote on 2002-05-20:

I'm re-opening this but moving it to the bugs tracker.

I believe MM2.0.10 is vulnerable to this attack and the fix
is simple. MM2.1b2 is not vulnerable because if you look at
line 859 in HyperArch.py, you'll see that the subject and
author fields are always CGIescape()'d.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.