Incubating the new Sympa documentation site
The Sympa Community
2018-07-03 (Update)
A fix is available for a vulnerability discovered in Sympa web interface.
A vulnerability has been discovered in Sympa web interface that allows write access to files on the server filesystem.
This flaw allows to create or modify any file writable by the Sympa user, located on the server filesystem, using the function of Sympa web interface template file saving.
Possibility to create or modify files on the server filesystem.
Users who can’t upgrade to the latest version have the following workaround solution: Disable access to corresponding function through the web interface.
<wwsympa_url>/savefile/
. For more details consult
documentation of HTTP server you are using.Upgrade to version 6.2.32
or
Apply a patch
Download appropriate patch file and save it in your server. Move
into the directory where wwsympa.fcgi
is installed, and apply
patch:
# patch -p1 < sympa-6.2.XX-sa-2018-001.patch
Then restart web interface.
Versions prior to 6.2 are no longer maintained. Users of these versions should upgrade to 6.2.32 to prevent potential attacks.
The security flaw this advisory describes was reported by Michael Kaczmarczik, UT Austin ITS, Systems Enterprise Services, working with the UT Austin Information Security Office.
This advisory was published with assistance by CERT RENATER.
2018-04-19
Initial version published
2018-07-03
Updated
Unless otherwise specified, the contents of this document are licensed under the Creative Commons - Attribution - ShareAlike license. For more details see LICENSE and AUTHORS.
Theme originally designed by orderedlist