CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof messages in the error log and possibly trick the administrator into visiting malicious URLs via CRLF sequences in the URI.

Updated mailman packages that fix a security issue and various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having low security impact by the Red Hat Security Response Team.

Mailman is a program used to help manage email discussion lists.

A flaw was found in Mailman. A remote attacker could spoof messages in the error log, and possibly trick the administrator into visiting malicious URLs via a carriage return/line feed sequence in the URI.
(CVE-2006-4624)

As well, these updated packages fix the following bugs :

* canceling a subscription on the confirm subscription request page caused mailman to crash.

* editing the sender filter caused all spam filter rules to be deleted.

* the migrate-fhs script was not included.

* the mailman init script returned a zero (success) exit code even when an incorrect command was given. For example, the 'mailman foo' command returned a zero exit code. In these updated packages the mailmain init script returns the correct exit codes.

Users of Mailman are advised to upgrade to these updated packages, which resolve these issues.

A flaw was found in Mailman. A remote attacker could spoof messages in the error log, and possibly trick the administrator into visiting malicious URLs via a carriage return/line feed sequence in the URI.
(CVE-2006-4624)

As well, these updated packages fix the following bugs :

  - canceling a subscription on the confirm subscription     request page caused mailman to crash.

  - editing the sender filter caused all spam filter rules     to be deleted.

  - the migrate-fhs script was not included.

  - the mailman init script returned a zero (success) exit     code even when an incorrect command was given. For     example, the 'mailman foo' command returned a zero exit     code. In these updated packages the mailmain init script     returns the correct exit codes.

A flaw was discovered in how Mailman handles MIME multipart messages where an attacker could send a carefully-crafted MIME multipart message to a Mailman-run mailing list causing that mailing list to stop working (CVE-2006-2941).

As well, a number of XSS (cross-site scripting) issues were discovered that could be exploited to perform XSS attacks against the Mailman administrator (CVE-2006-3636).

Finally, a CRLF injection vulnerability allows remote attackers to spoof messages in the error log (CVE-2006-4624).

Updated packages have been patched to address these issues.

Several security related problems have been discovered in mailman, the web-based GNU mailing list manager. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-3636     Moritz Naumann discovered several cross-site scripting     problems that could allow remote attackers to inject     arbitrary web script code or HTML.

  - CVE-2006-4624     Moritz Naumann discovered that a remote attacker can     inject arbitrary strings into the logfile.

The version of Mailman installed on the remote host fails to sanitize user-supplied input before writing it to the application's 'error' log.  An unauthenticated remote attacker can leverage this flaw to spoof log messages.  In addition, the application is reportedly affected by a denial of service issue involving headers that do not conform to RFC 2231 as well as several cross-site scripting vulnerabilities.

The version of Mailman installed on the remote host fails to sanitize user-supplied input before writing it to the application's 'error' log.  An unauthenticated, remote attacker can leverage this flaw to spoof log messages. 

In addition, the application reportedly is affected by a denial of service issue involving headers that do not conform to RFC 2231 as well as several cross-site scripting vulnerabilities.

Secunia reports :

Mailman can be exploited by malicious people to conduct cross-site scripting and phishing attacks, and cause a DoS (Denial of Service).

1) An error in the logging functionality can be exploited to inject a spoofed log message into the error log via a specially crafted URL.

Successful exploitation may trick an administrator into visiting a malicious website.

2) An error in the processing of malformed headers which does not follow the RFC 2231 standard can be exploited to cause a DoS (Denial of Service).

3) Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

ID	Name	Product	Family	Severity
67057	CentOS 4 : mailman (CESA-2007:0779)	Nessus	CentOS Local Security Checks	low
60303	Scientific Linux Security Update : mailman on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	low
28241	RHEL 4 : mailman (RHSA-2007:0779)	Nessus	Red Hat Local Security Checks	low
23909	Mandrake Linux Security Advisory : mailman (MDKSA-2006:165)	Nessus	Mandriva Local Security Checks	medium
22730	Debian DSA-1188-1 : mailman - format string	Nessus	Debian Local Security Checks	medium
3737	Mailman < 2.1.9rc1 Spoofed Log Entry Injection	Nessus Network Monitor	CGI	medium
22307	Mailman Utils.py Spoofed Log Entry Injection	Nessus	CGI abuses	low
22304	FreeBSD : mailman -- Multiple Vulnerabilities (fffa9257-3c17-11db-86ab-00123ffe8333)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2006-4624

medium

Tenable Plugins

low

low

low

medium

medium

medium

low

high