359182 – (CVE-2008-0564) VUL-0: CVE-2008-0564: mailman XSS

Bug 359182 (CVE-2008-0564) - VUL-0: CVE-2008-0564: mailman XSS

Summary: VUL-0: CVE-2008-0564: mailman XSS

Status:	RESOLVED FIXED

Alias:	CVE-2008-0564

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Deadline:	2008-03-05
Assignee:	Heiko Rommel
QA Contact:	Security Team bot

URL:
Whiteboard:	patchinfos submitted
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2008-02-06 13:01 UTC by Ludwig Nussel
Modified:	2017-08-02 06:59 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
the patch (11.02 KB, patch) 2008-02-06 13:02 UTC, Ludwig Nussel	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2008-02-06 13:01:48 UTC

We received the following report via vendor-sec.
The issue is public.

The improved fix is CVE-2008-0564

From the surrounding discussion I somehow got the impression that this is not severe enough to justify an online update.

Date: Mon, 04 Feb 2008 15:09:03 -0800
From: Mark Sapiro <mark@msapiro.net>
To: Jonathan Smith <smithj@freethemallocs.com>,
	Moritz Naumann <security@moritz-naumann.com>
Subject: Re: Re: [vendor-sec] mailman 2.1.10b3 fixes security issues?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonathan Smith wrote:
| Jonathan Smith wrote:
|> According to
|>
http://mail.python.org/pipermail/mailman-announce/2008-February/000096.htm
|> , version 2.1.10b3, a beta release, "enhances" the fix for
|> CVE-2006-3636. The announcement isn't very clear on which
|> "enhancements" are made, except that some XSS attacks are now
|> detected. Were they not previously? If the previous fix did not
|> completely eliminate the security issue, a new CVE should be obtained
|> and used to prevent this sort of confusion.
|>
|> Any information you can provide on these changes would be appreciated,
|> especially a patch which could be applied to older versions.
|
| Er, sorry, that URL should be
|
http://mail.python.org/pipermail/mailman-announce/2008-February/000096.html

The attached p1.txt is a patch that should apply to Mailman 2.1.9 with
perhaps some offset.

By way of clarification, Mailman allows a list admin to enter an HTML
fragment in the list's info attribute to be rendered as part of the
list's specific listinfo page. It also allows a list admin to edit some
HTML templates for other list specific web pages.

The original fix for CVE-2006-3636 improved the recognition and escaping
of <script> tags entered in the info attribute and edited HTML. It also
closed a number of other potential exploits having to do with specially
crafted URLs or entry of specially crafted data in fields on various
mailman web forms.

The current 2.1.10b1 and 2.1.10b3 enhancement addresses potentially
malicious HTML that might be entered in the info attribute or edited
templates. It goes beyond recognizing and escaping <script> tags. It
disallows any update matching a large set of tags and script and action
keywords that might potentially be misused.

The original CVE was obtained by Moritz Naumann (addressed on this mail)
who also gave much welcome advice used in developing the current
enhancement.

I confess, I am not really a security guy. Perhaps Moritz can obtain a
new CVE for this enhancement.

- --
Mark Sapiro <mark@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHp5sOVVuXXpU7hpMRAvzQAJ4+FnPqwJdsg9AjNxug5mM7L2ofUgCgk3r2
M9j90lTmNglRecsuvIqF3ZU=
=8ARS
-----END PGP SIGNATURE-----

Comment 1 Ludwig Nussel 2008-02-06 13:02:00 UTC

Created attachment 193402 [details]
the patch

Comment 2 Ludwig Nussel 2008-02-07 08:02:13 UTC

Date: Wed, 6 Feb 2008 15:09:22 -0500 (EST)
From: "Steven M. Christey" <coley@linus.mitre.org>
To: Moritz Naumann <info@moritz-naumann.com>
Subject: Re: [vendor-sec] mailman 2.1.10b3 fixes security issues?

On Wed, 6 Feb 2008, Moritz Naumann wrote:

> CVE-2008-0564
> is about XSS, not about CSRF (though, as every XSS vulnerability, it also
> affects how applications are prone to CSRF attacks).

Yes, CVE-2008-0564 is only intended for the XSS issue.

Given all the discussion about the CSRF - I've assigned a new identifier
to handle that, even though there isn't a fix.  Use CVE-2008-0637

- Steve
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

Comment 3 Thomas Biege 2008-08-08 13:14:42 UTC

Heiko,
please provide updates within the next week.

Comment 4 Sebastian Krahmer 2008-08-11 07:59:48 UTC

MaintenanceTracker-19189.

Comment 5 Heiko Rommel 2008-08-13 06:57:45 UTC

The defect affects all of SLES9, SLES10 (SP1+SP2) and 10.2-11.0.
The fix applies on all of them (with small modifications on SLES9).
Shall I submit for all affected code bases ?

In addition, I would like to fix Bug 409352 along. Agreed ?

Comment 6 Thomas Biege 2008-08-13 07:04:25 UTC

Yes and yes. :)

Comment 7 Thomas Biege 2008-08-13 07:09:55 UTC

Is the CSRF (CVE-2008-0637) bug fixed too or is there still no patch available for it?

Comment 8 Heiko Rommel 2008-08-13 11:15:13 UTC

AFAICS, there is currently no fix for the CSRF issue (CVE-2008-0637) around.

Comment 9 Heiko Rommel 2008-08-13 11:26:24 UTC

Comment 10 Thomas Biege 2008-08-13 11:31:39 UTC

The we go w/o it.

Comment 11 Heiko Rommel 2008-08-14 08:39:45 UTC

fixed packages submitted for sles10, sles9, 11.0, 10.3, 10.2

Comment 12 Ruediger Oertel 2008-08-14 09:18:58 UTC

patchinfo mentions SLES8
typo or missing package ?

Comment 13 Thomas Biege 2008-08-14 10:16:47 UTC

typo :\

Comment 15 Thomas Biege 2008-08-20 09:43:39 UTC

packages released