Launchpad itself

XSS issue in lists.launchpad.net

Bug #741527 reported by David on 2011-03-24

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Critical	Unassigned	Launchpad itself 11.04

Bug Description

This isn't a 'new' bug but lists.launchpad.net runs an outdated version of MHonArc (v2.6.16 )
as noted at http://www.mhonarc.org/ "MHonArc releases prior to v2.6.18 have known vulnerabilities to the HTML filter, making web sites hosting MHonArc web archives vulnerable to XSS attackes. All users are STRONGLY encouraged to upgrade to the latest release. " CVE-2010-4524 was assigned to the bug.

I tested using a mailing list(which I have since deleted) that lists.launchpad.net is vulnerable to CVE-2010-4524.

Tags:

CVE References

2010-4524

Revision history for this message

Curtis Hovey (sinzui) wrote on 2011-03-24:

Oh dear. Which list did you create because archives are not deletable. An admin is needed to do what you think you have done.

Changed in launchpad:
status:	New → Triaged
importance:	Undecided → Critical
tags:	added: javascript ml-archive-sucks

Revision history for this message

David (d--) wrote on 2011-03-24:

the list which was located at https://lists.launchpad.net/aaaaaaaaaaaaaaaaaaa/ . Well my user cannot access it - that's probably 'good enough tm'. There is only one message in the archive that has javascript in it and that only shows an alert 1 dialogue.

Revision history for this message

Curtis Hovey (sinzui) wrote on 2011-03-24:

Oh good. we hit the openid death spiral bug. Well we do not need to delete this immediately since there is no one working on this.

Revision history for this message

Curtis Hovey (sinzui) wrote on 2011-03-24:

The proposed fix is not trustworthy. It can be circumvented by someone with moderate skill and intent. We only accept plain text email. I think we want to escape the body and subject before appending the email to the archive.

summary:

- this isn't a 'new' bug but lists.launchpad.net
+ XSS issue in lists.launchpad.net

Curtis Hovey (sinzui) on 2011-03-29

Changed in launchpad:
status:	Triaged → In Progress
assignee:	nobody → Curtis Hovey (sinzui)
milestone:	none → 11.04

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2011-04-01:

Fixed in stable r12714 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/12714>.

tags:	added: qa-needstesting
Changed in launchpad:
status:	In Progress → Fix Committed

Revision history for this message

Curtis Hovey (sinzui) wrote on 2011-04-01:

QA is blocked until we get lists.staging.launchpad.net fixed.

William Grant (wgrant) on 2011-04-04

tags:

added: qa-ok
removed: qa-needstesting

William Grant (wgrant) on 2011-04-04

Changed in launchpad:
status:	Fix Committed → Fix Released

David (d--) on 2011-04-05

visibility:

private → public

Curtis Hovey (sinzui) on 2017-05-15

Changed in launchpad:
assignee:	Curtis Hovey (sinzui) → nobody

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.