Cross Site Scripting Vulnerability in Sympa
---------------------------------------------------------------------------
Cross Site Scripting Vulnerability in
Sympa
---------------------------------------------------------------------------
Author: Joxean Koret
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sympa Version 4.1.X and prior to version 4.1
Sympa is a rich open source mailing list
software. Its design highly focuses
on customization possibilities and ease of
administration.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross Site Scripting Vulnerability
A1. I found a cross site scripting vulnerability in
the creation list option.
This could allow for execution of hostile HTML
and script code in the web
client of a user who visits a web page that
contains the malicious code.
This would occur in the security context of the
site hosting the software.
Exploitation could allow for theft of cookie-based
authentication credentials. Other attacks are
also possible.
To test it follow these steps :
1.- Navigate to http://<site-with-sympa>/wws
2.- Login with a valid e-mail and password (or
click in the Send me Password option and follow
the instructions)
3.- Click on create list option
4.- In the "List Name" field enter the text that you
want.
5.- In the "Subject" field enter the subject that
you want.
6.- Select your preferred topic
7.- In the description field insert the following
text :
Whatever_you_want<script>alert("Your cookie
is " + document.cookie)</script>
8.- Click on "Submit your creation Request"
button.
9.- The list is created.
10.- Now, click on "List Info". You will see your
cookie in a javascript "alert" message box
The fix:
~~~~~~~~
The vendor is contacted but no fixes are
released at the moment.
References
~~~~~~~~~~
The bug in the Sympa bugtracking list :
http://listes.cru.fr/mantis/view_bug_advanced_page.php?f_id=0000327
The Sympa web site :
http://www.sympa.org
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es