Skip to Content.
Sympa Menu

announce - [sympa-announce] [Sympa Securty Advisory] 2020-001 Security flaws in CSRF prevension

Subject: Announcements of new sympa release

List archive

Chronological Thread  
  • From: IKEDA Soji <>
  • To:
  • Subject: [sympa-announce] [Sympa Securty Advisory] 2020-001 Security flaws in CSRF prevension
  • Date: Mon, 24 Feb 2020 15:10:29 +0900

To get updated version of this document, see:
- https://sympa-community.github.io/security/2020-001.html

------------------------------------------------------------------------

2020-001 Security flaws in CSRF prevension
==========================================

The Sympa Community
2020-02-24 (Initial version)


Synopsis
--------

A fix is available for a vulnerability discovered in Sympa web
interface.


Systems Affected
----------------

- Sympa version 6.2.38 to 6.2.52 inclusive.


Problem Description
-------------------

A vulnerability has been discovered in Sympa web interface that can
cause denial of service (DoS) attack.

By submitting requests with malformed parameters, this flaw allows to
create junk files in Sympa's directory for temporary files. And
particularly by tampering token to prevent CSRF, it allows to originate
exessive notification messages to listmasters.


Impact
------

Possibility of denial of service (DoS) because of disk full or flooding
messages.


Workarounds
-----------

No workaround is known at the present.


Solution
--------

- Upgrade to version 6.2.54

- Source distribution:
[sympa-6.2.54.tar.gz](https://github.com/sympa-community/sympa/releases/download/6.2.54/sympa-6.2.54.tar.gz)
- Binary distributions: Check release information by
distributors.

or

- Apply a patch

-
[sympa-6.2.52-sa-2020-001.patch](https://github.com/sympa-community/sympa/releases/download/6.2.54/sympa-6.2.52-sa-2020-001.patch)

Download appropriate patch file and save it in your server. Move
into the directory where `wwsympa.fcgi` is installed, and apply
patch:
``` bash
# patch -p1 < sympa-6.2.XX-sa-2020-001.patch
```
Then restart web interface.


CVE Numbers
-----------

None yet.


References
----------

- [GitHub issue sympa-community/sympa\#886: Security flaws in CSRF
prevension](https://github.com/sympa-community/sympa/issues/886)
- [Sympa 6.2.54
announce](https://github.com/sympa-community/sympa/releases/tag/6.2.54)


Acknowledgements
----------------

The security flaw this advisory describes was reported by Javier Moreno.


Change log
----------

- 2020-02-24

Initial version published.


  • [sympa-announce] [Sympa Securty Advisory] 2020-001 Security flaws in CSRF prevension, IKEDA Soji, 02/24/2020

Archive powered by MHonArc 2.6.19+.

Top of Page