CSRF protection needs to be extended to the user options page

CVE-2016-6893 has been assigned for this issue.

What versions does this bug effect?

> What versions?

All Mailman 2.1.x prior to 2.1.23. However, versions older than 2.1.15 are also vulnerable to CSRF attacks on the admin web interface.

A patch to fix this which is applicable to Mailman >= 2.1.15 and <= 2.1.22 is attached here. This fix has also been released as part of Mailman 2.1.23.

The patch attached at https://bugs.launchpad.net/mailman/+bug/1614841/comments/4 may look garbled if opened in your browser, but the downloaded file should be OK.

Re Comment #3 it appears this has triggered a new CVE-2016-7123 to be issued just based on this one line that Mark Sapiro wrote with no other confirmation than this launchpad bug #1614841, but I wonder if the latter CVE (CVE-2016-7123) is a duplicate of the old CVE-2011-0707, or a new separate issue. Haven't been able to find relevant information so far, and people are also wondering and reporting this elsewhere. <https://www.cvedetails.com/cve/CVE-2011-0707/>

Related: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212378 <- requesting FreeBSD to list CVE-2016-7123 as a new bug (note that FreeBSD already marked CVE-2016-6893 which covers a wider span of versions).

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7123

CVE-2011-0707 is not related to this CSRF issue. It references an XSS vulnerability that was fixed in Mailman 2.1.15 and so noted in the changelog of that release at https://launchpad.net/mailman/2.1/2.1.15

CVE-2016-7123 is a new CVE that apparently just acknowledging the CSRF vulnerability in the admin interface that exists in Mailman prior to 2.1.15. See https://bugs.launchpad.net/mailman/+bug/775294