sympa-community.github.io
Incubating the new Sympa documentation site
2020-003 Defects in the access restriction of Sympa SOAP/HTTP interface
The Sympa Community 2021-01-06 (Update)
Synopsis
A fix is available for defects in the access restriction of Sympa SOAP/HTTP interface.
Systems Affected
- All versions of Sympa prior to 6.2.60
Problem Description
Defects has been discovered in authenticateAndRun call of
Sympa SOAP/HTTP interface by which access restriction can be bypassed,
and therefore these things are allowed:
- bogus session ID
- the session ID which belongs to different user
As a result, any SOAP call can be executed.
For more details see References.
This problem does not apply to environments where the SOAP/HTTP server
(sympa_soap_server.fcgi) is not running.
Impact
Attacker can execute any SOAP call by privileges of any Sympa accounts.
Workarounds
- Currently no workarounds are known except shutting down SOAP/HTTP service.
Solution
-
Upgrade Sympa to version 6.2.60 or later
- Source distribution: sympa-6.2.60.tar.gz
- Binary distributions: Check release information by distributors.
or, if you have installed Sympa using earlier version of source distribution,
-
Apply a patch:
Patch for Sympa 6.2.28 to 6.2.58: sympa-6.2.58-sa-2020-003-r1.patch
Patch for Sympa 6.2 to 6.2.24: sympa-6.2.24-sa-2020-003-r1.patch
Patch for Sympa 6.1.25: sympa-6.1.25-sa-2020-003-r1.patch
CVE Numbers
References
- GitHub issue sympa-community/sympa#1041: Unauthorised full access via SOAP API due to illegal cookie
- Sympa 6.2.60 announce
Acknowledgements
The security flaw was initially reported by Stefan Brenner.
Change log
-
2021-01-04
Initial version published.
-
2021-01-06
Solution: Added reference to patches for version 6.2.24 or earlier.
Unless otherwise specified, the contents of this document are licensed under the Creative Commons - Attribution - ShareAlike license. For more details see LICENSE and AUTHORS.
Theme originally designed by orderedlist