Skip to Content.
Sympa Menu

devel - Re: [sympa-dev] Security issue on wwsympa code

Subject: Developers of Sympa

List archive

Chronological Thread  
  • From: Olivier Berger <address@concealed>
  • To: Olivier Salaün <address@concealed>
  • Cc: "address@concealed" <address@concealed>
  • Subject: Re: [sympa-dev] Security issue on wwsympa code
  • Date: Wed, 13 Aug 2008 17:29:43 +0200

Le mercredi 13 août 2008 à 17:14 +0200, Olivier Salaün a écrit :
> Olivier,
>
> Thanks for reporting your thoughts about potential attacks, however it
> does not seem to be a legitimate threat for the following reasons :
>
> 1. new_d_read() in wwsympa.fcgi is a dead function (aimed at
> replacing wwsympa::do_d_read() ) and therefore this code cannot be run

Great. Relieved ;)

> 2. the make_alias_file code in sympa.pl does create a file in /tmp
> directory, however the data it writes are hard-coded, no
> possibility of data injection
>

Well, there's still the possibility that these files are already
existing symlinks to other important files, which may then see their
content be overwritten. That should be too bad if the sympa.pl was
running with some privileges (allowing overwrite of the files), and that
code was reached when running with these preivileges...
I've not checked to see what --make_alias_file is supposed to be invoked
for... but let's hope it's not run periodically as root with a
predictable PID...

I'd be glad if you could elaborate on that second issue in sympa.pl to
know if we have to clear alarming flags on Debian's bugtracker (and
other security related databases, maybe).

> On a more general perspective, I don't consider symlink attacks as
> significant threats on a mailing list server because these attacks
> require a user to login an define a symlink. You would not have user
> accounts on a mailing list server.
>

Unlikely, unless there's some flawed application elsewhere ;-) Better
safe than sorry.

So I guess it's not top priority of course, but a possibility exists
anyhow.

> However, we're going to make some cleanup in the code to a) remove the
> debug code you mentioned, b) use Sympa's own tmp/ directory instead of
> /tmp when needed.
>

Thanks. Feel free to point to appropriate patches in
http://sourcesup.cru.fr/tracker/index.php?func=detail&aid=4430 please.

Best regards,
--
Olivier BERGER <address@concealed>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)





Archive powered by MHonArc 2.6.19+.

Top of Page