package: sympa severity: critical version: 6.2.40~dfsg-3 tags: patch A vulnerability has been discovered in Sympa web interface that can cause denial of service (DoS) attack.
By submitting requests with malformed parameters, this flaw allows to create junk files in Sympa's directory for temporary files. And particularly by tampering token to prevent CSRF, it allows to originate excessive notification messages to listmasters. Full advisory: https://sympa-community.github.io/security/2020-001.html Regards Racke -- Ecommerce and Linux consulting + Perl and web application programming. Debian and Sympa administration. Provisioning with Ansible.
From 9b86fb3f0337d70221d63392db7d1a52b439dc8f Mon Sep 17 00:00:00 2001 From: IKEDA Soji <ik...@conversion.co.jp> Date: Tue, 11 Feb 2020 17:52:22 +0900 Subject: [PATCH] Sympa SA 2020-001 (candidate). Denial of service caused by malformed CSRF token. --- src/cgi/wwsympa.fcgi.in | 25 +++---------------------- 1 file changed, 3 insertions(+), 22 deletions(-) diff --git a/src/cgi/wwsympa.fcgi.in b/src/cgi/wwsympa.fcgi.in index 2eb8aec..c7b5195 100644 --- a/src/cgi/wwsympa.fcgi.in +++ b/src/cgi/wwsympa.fcgi.in @@ -992,9 +992,6 @@ our %in_regexp = ( # Role 'role' => 'member|editor|owner', - - ## CSRF token is a lower case MD5 hash - 'csrftoken' => '^[0-9a-f]{32}$', ); ## Regexp applied on incoming parameters (%in) @@ -1262,8 +1259,6 @@ while ($query = CGI::Fast->new) { # affected to another anonymous session. undef $ENV{'HTTP_COOKIE'}; unless (defined $session) { - Sympa::send_notify_to_listmaster($robot, - 'failed_to_create_web_session', {}); wwslog('info', 'Failed to create session'); $session = Sympa::WWW::Session->new($robot, {}); } @@ -2149,32 +2144,18 @@ sub get_parameters { if ($one_p !~ /^$regexp$/s || (defined $negative_regexp && $one_p =~ /$negative_regexp/s) ) { - ## Dump parameters in a tmp file for later analysis - my $dump_file = - Conf::get_robot_conf($robot, 'tmpdir') - . '/sympa_dump.' - . time . '.' - . $PID; - unless (open DUMP, ">$dump_file") { - wwslog('err', 'Failed to create %s: %s', - $dump_file, $ERRNO); - } - Sympa::Tools::Data::dump_var(\%in, 0, \*DUMP); - close DUMP; - Sympa::WWW::Report::reject_report_web('user', 'syntax_errors', {p_name => $p}, '', ''); wwslog( 'err', - 'Syntax error for parameter %s value "%s" not conform to regexp:%s; dumped vars in %s', + 'Syntax error for parameter %s value "%s" not conform to regexp:%s', $pname, $one_p, - $regexp, - $dump_file + $regexp ); $in{$p} = ''; - next; + last; } } } -- 1.8.3.1
signature.asc
Description: OpenPGP digital signature