Description: A vulnerability and a weakness have been reported in Mailman, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially brute force a user's password.
1) Input is not properly sanitised by "scripts/driver" when returning error pages. This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of a vulnerable site by tricking a user into visiting a malicious web site or follow a specially crafted link.
2) A weakness in the algorithm of the automatic password generation causes only about five million different passwords to be generated. This makes it easier to brute force automatically generated passwords.
Solution: 1) Filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities.
2) Choose a strong password for subscriptions, instead of letting Mailman generate one.
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
