[Secure-testing-team] Bug#598743: hypermail: XSS vulnerability
Kevin Fernandez
kevin at findhost.org
Fri Oct 1 16:17:51 UTC 2010
Package: hypermail
Version: 2.2.0.dfsg-2
Severity: grave
Tags: security
Justification: user security hole
Hypermail has a cross-site scripting vulnerability in the way it
indexes mails.
Eg: send a mail with this From address:
"<iframe src=//debian.org>" email at debian.org
All the pages indexing this email will have the iframe interprated as
html, the message listing under a specific message is also affected.
This was discovered by Eduardo Abril who sent <b>pepelotas</b> here:
http://archives.neohapsis.com/archives/fulldisclosure/2010-10/index.html
Regards
-- System Information:
Debian Release: 5.0.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32.23-grsec (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8 at euro, LC_CTYPE=fr_FR.UTF-8 at euro (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages hypermail depends on:
ii libc6 2.7-18lenny4 GNU C Library: Shared libraries
ii libgdbm3 1.8.3-3 GNU dbm database routines (runtime
ii libpcre3 7.6-2.1 Perl 5 Compatible Regular Expressi
ii python 2.5.2-3 An interactive high-level object-o
hypermail recommends no packages.
hypermail suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list