Subject: Announcements of new sympa release
List archive
[sympa-announce] Sympa Security Advisory: 2021-001 Inappropriate use of the ~cookie~ parameter
- From: IKEDA Soji <>
- To: ,
- Subject: [sympa-announce] Sympa Security Advisory: 2021-001 Inappropriate use of the ~cookie~ parameter
- Date: Tue, 27 Apr 2021 15:40:06 +0900 (JST)
Title: Sympa Security Advisory 2021-001 ・ sympa-community/sympa
Updated version of this advisory will be found at here: https://sympa-community.github.io/security/2021-001.html .
2021-001 Inappropriate use of the cookie parameter
The Sympa Community 2021-04-27 (Initial version)
Synopsis
Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.
Systems Affected
- All versions of Sympa prior to 6.2.62.
Problem Description
Earlier versions of Sympa require a parameter named “cookie” in
sympa.conf
configuration file.
This parameter was used to make some identifiers generated by the system unpredictable. For example, it was used as following:
-
To be used as a salt to encrypt passwords stored in the database by the RC4 symmetric key algorithm.
Note that RC4 is no longer considered secure enough and is not supported in the current version of Sympa.
-
To prevent attackers from sending crafted messages to achieve XSS and so on in message archives.
There were the following problems with the use of this parameter.
-
This parameter, for its purpose, should be different for each installation, and once set, it cannot be changed. As a result, some sites have been operating without setting this parameter. This completely invalidates the security measures described above.
-
Even if this parameter is properly set, it may be considered not being strong enough against brute force attacks.
For the above reasons, administrators are recommended to take the measures detailed below.
Impact
Attacker can achieve XSS and so on in message archives.
Workarounds
If you are operating without setting the cookie parameter and you cannot upgrade to the latest version of Sympa right now, set a value for this parameter to mitigate security risks.
However, if you are using 6.2.40 or earlier, you need to upgrade your RC4-encrypted passwords by running upgrade_sympa_password.pl (with 6.2.16 or later) or sympa.pl --md5_encode_password (earlier) before setting this parameter.
Note that, when you set this parameter, you have to restart the all of the services for Sympa you are running (Sympa services, WWSympa, Sympa SOAP service).
Solution
The best solution is to upgrade to Sympa 6.2.62 or later which no
longer uses
the cookie
parameter.
Check “Upgrading Sympa” in the Administration Manual for upgrading instruction.
CVE Numbers
None yet.
References
- GitHub issue sympa-community/sympa#1091: Obsolete cookie parameter
Change log
-
2021-04-27
Initial version published.
- [sympa-announce] Sympa Security Advisory: 2021-001 Inappropriate use of the ~cookie~ parameter, IKEDA Soji, 04/27/2021
Archive powered by MHonArc 2.6.19+.