sympa-community.github.io

Incubating the new Sympa documentation site

2015-001 Security breaches in newsletter posting (CVE-2015-1306)

CVE number: CVE-2015-1306

1. Threat

Possibility to access files on the server filesystem.

2. Systems Affected

All Sympa branches are affected.

3. Summary

A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem.

This breach allows to send to a list or a user any file readable by the Sympa user, located on the server filesystem, using the Sympa web interface newsletter posting area.

4. Solution

Users who can’t upgrade to the latest versions have the following workaround solution: prevent mail sending through the web interface.

Older versions are no longer maintained. Users of this version should upgrade to 6.1.24 or 6.0.10 to prevent potential attacks.

CC BY-SA 4.0 Unless otherwise specified, the contents of this document are licensed under the Creative Commons - Attribution - ShareAlike license. For more details see LICENSE and AUTHORS.

Theme originally designed by orderedlist