Skip to Content.
Sympa Menu

announce - [sympa-announce] [Sympa Securty Advisory] 2020-003 Defects in the access restriction of Sympa SOAP/HTTP interface

Subject: Announcements of new sympa release

List archive

[sympa-announce] [Sympa Securty Advisory] 2020-003 Defects in the access restriction of Sympa SOAP/HTTP interface

Chronological Thread  
    < Chronological >       < Thread >
  • From: IKEDA Soji <>
  • To:
  • Subject: [sympa-announce] [Sympa Securty Advisory] 2020-003 Defects in the access restriction of Sympa SOAP/HTTP interface
  • Date: Tue, 5 Jan 2021 10:30:58 +0900
Updated version of this advisory will be found at:
https://sympa-community.github.io/security/2020-003.html

2020-003 Defects in the access restriction of Sympa SOAP/HTTP interface
=======================================================================

The Sympa Community
2021-01-04 (Initial version)


Synopsis
--------

A fix is available for defects in the access restriction of Sympa
SOAP/HTTP interface.


Systems Affected
----------------

- All versions of Sympa prior to 6.2.60


Problem Description
-------------------

Defects has been discovered in ``authenticateAndRun`` call of
Sympa SOAP/HTTP interface by which access restriction can be bypassed,
and therefore these things are allowed:

- bogus session ID
- the session ID which belongs to different user

As a result, any SOAP call can be executed.

For more details see [References](#references).

This problem does not apply to environments where the SOAP/HTTP server
(``sympa_soap_server.fcgi``) is not running.


Impact
------

Attacker can execute any SOAP call by privileges of any Sympa accounts.


Workarounds
-----------

- Currently no workarounds are known except shutting down SOAP/HTTP service.

Solution
--------

- Upgrade Sympa to version 6.2.60 or later

- Source distribution:
[sympa-6.2.60.tar.gz](https://github.com/sympa-community/sympa/releases/download/6.2.60/sympa-6.2.60.tar.gz)
- Binary distributions: Check release information by
distributors.

or, if you have installed Sympa using earlier version of source distribution,

- Apply a patch:

Patch for Sympa 6.2.28 to 6.2.58:
[sympa-6.2.58-sa-2020-003-r1.patch](https://github.com/sympa-community/sympa/releases/download/6.2.60/sympa-6.2.58-sa-2020-003-r1.patch)


CVE Numbers
-----------

[CVE-2020-29668](https://nvd.nist.gov/vuln/detail/CVE-2020-10936)


References
----------

- [GitHub issue sympa-community/sympa\#1041: Unauthorised full access via
SOAP API due to illegal
cookie](https://github.com/sympa-community/sympa/issues/1041)
- [Sympa 6.2.60
announce](https://github.com/sympa-community/sympa/releases/tag/6.2.60)


Acknowledgements
----------------

The security flaw was initially reported by
Stefan Brenner.


Change log
----------

- 2021-01-04

Initial version published.


  • [sympa-announce] [Sympa Securty Advisory] 2020-003 Defects in the access restriction of Sympa SOAP/HTTP interface, IKEDA Soji, 01/05/2021

Archive powered by MHonArc 2.6.19+.

Top of Page