<<< Date Index >>>     <<< Thread Index >>>

Cross Site Scripting Vulnerability in Sympa




--------------------------------------------------------------------------- 
              Cross Site Scripting Vulnerability in 
Sympa  
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
Sympa Version 4.1.X and prior to version 4.1 
 
Sympa is a rich open source mailing list 
software. Its design highly focuses  
on customization possibilities and ease of 
administration.  
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Cross Site Scripting Vulnerability 
 
A1. I found a cross site scripting vulnerability in 
the creation list option. 
 
This could allow for execution of hostile HTML 
and script code in the web  
client of a user who visits a web page that 
contains the malicious code.  
This would occur in the security context of the 
site hosting the software. 
  
Exploitation could allow for theft of cookie-based 
authentication credentials. Other attacks are 
also possible.  
 
To test it follow these steps :  
 
 1.- Navigate to http://<site-with-sympa>/wws 
 2.- Login with a valid e-mail and password (or 
click in the Send me Password option and follow 
the instructions) 
 3.- Click on create list option 
 4.- In the "List Name" field enter the text that you 
want. 
 5.- In the "Subject" field enter the subject that 
you want. 
 6.- Select your preferred topic 
 7.- In the description field insert the following 
text :  
  
 Whatever_you_want&lt;script&gt;alert("Your cookie 
is " + document.cookie)&lt;/script&gt; 
 
 8.- Click on "Submit your creation Request" 
button. 
 9.- The list is created. 
 10.- Now, click on "List Info". You will see your 
cookie in a javascript "alert" message box 
 
The fix: 
~~~~~~~~ 
 
The vendor is contacted but no fixes are 
released at the moment. 
 
References 
~~~~~~~~~~ 
 
The bug in the Sympa bugtracking list : 
 
http://listes.cru.fr/mantis/view_bug_advanced_page.php?f_id=0000327 
 
The Sympa web site :  
 
http://www.sympa.org 
 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
        Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es