Skip to Content.
Sympa Menu

announce - [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing

Subject: Announcements of new sympa release

List archive

[sympa-announce] [Security advisory] 2018-001 Security flaws in template editing

Chronological Thread  
    < Chronological >       < Thread >
  • From: IKEDA Soji <>
  • To:
  • Subject: [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing
  • Date: Thu, 19 Apr 2018 22:19:09 +0900
Latest version is found at
<https://sympa-community.github.io/security/2018-001.html>

2018-001 Security flaws in template editing
===========================================

The Sympa Community
2018-04-19 (Initial version)

Synopsis
--------

A fix is available for a vulnerability discovered in Sympa web
interface.


Systems Affected
----------------

- All versions prior to Sympa 6.2.32


Problem Description
-------------------

A vulnerability has been discovered in Sympa web interface that
allows write access to files on the server filesystem.

This flaw allows to create or modify any file writable by the Sympa
user, located on the server filesystem, using the function of Sympa
web interface template file saving.


Impact
------

Possibility to create or modify files on the server filesystem.


Workarounds
-----------

Users who can't upgrade to the latest version have the following
workaround solution: Disable access to corresponding function
through the web interface.

- Configure HTTP server to deny access to the location under
`<wwsympa_url>/savefile/`. For more details consult
documentation of HTTP server you are using.


Solution
--------

- Upgrade to version 6.2.32

- Source distribution: [sympa-6.2.32.tar.gz]

<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.32.tar.gz>
- Binary distributions: Check release information by
distributors.

or

- Apply a patch

- For 6.2.28 to 6.2.30: [sympa-6.2.30-sa-2018-001.patch]

<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.30-sa-2018-001.patch>
- For 6.2.4 to 6.2.24: [sympa-6.2.24-sa-2018-001.patch]

<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.24-sa-2018-001.patch>

Download appropriate patch file and save it in your server. Move
into the directory where `wwsympa.fcgi` is installed, and apply
patch:

# patch -p1 < sympa-6.2.XX-sa-2018-001.patch

Then restart web interface.

Versions prior to 6.2 are no longer maintained. Users of these
versions should upgrade to 6.2.32 to prevent potential attacks.


CVE Numbers
-----------

Pending.


References
----------

- [Sympa 6.2.32 announce]
<https://github.com/sympa-community/sympa/releases/tag/6.2.32>


Change log
----------

- 2018-04-19: Initial version published

  • [sympa-announce] [Security advisory] 2018-001 Security flaws in template editing, IKEDA Soji, 04/19/2018

Archive powered by MHonArc 2.6.19+.

Top of Page