2020-001 Security flaws in CSRF prevension
The Sympa Community 2020-02-24 (Update)
A fix is available for a vulnerability discovered in Sympa web interface.
- Sympa version 6.2.38 to 6.2.52 inclusive.
A vulnerability has been discovered in Sympa web interface that can cause denial of service (DoS) attack.
By submitting requests with malformed parameters, this flaw allows to create junk files in Sympa’s directory for temporary files. And particularly by tampering token to prevent CSRF, it allows to originate exessive notification messages to listmasters.
Possibility of denial of service (DoS) because of disk full or flooding messages.
No workaround is known at the present.
Upgrade to version 6.2.54
- Source distribution: sympa-6.2.54.tar.gz
- Binary distributions: Check release information by distributors.
Apply a patch
Download appropriate patch file and save it in your server. Move into the directory where
wwsympa.fcgiis installed, and apply patch:
# patch -p1 < sympa-6.2.XX-sa-2020-001.patch
Then restart web interface.
The security flaw this advisory describes was reported by Javier Moreno.
Initial version published.
CVE numbers: CVE-2020-9369 was assigned.