Developers of Sympa

[Gavin Younger <address@concealed>]

Adam, David,

 

We were engaged in moving our sympa server from old to new hardware earlier this morning and ran into something that sounds very similar to what has been described here…

 

Source server : RedHat AS 4 (i386), sympa 5.3.4, perl 5.8.5, apache2.0.52 with mod_fastcgi 2.4.2

 

Target server : CentOS 5.5 (x86_64), sympa 5.3.4, perl 5.8.8, apache2.2.3 with mod_fastcgi 2.4.6

 

The ‘weirdness’ that was exhibited was cross-talk between different user sessions – very intermittently, a user visiting the wwsympa interface was being presented with the credentials of another logged-in user  … note the sympa version hadn’t changed (only the supporting versions of perl/httpd/mod_fastcgi and the 64-bit ness of the new system)

 

Obviously users being given the login credentials of another is a serious security issue! ;->

 

On the target server, we replaced mod_fastcgi with mod_fcgid (and, like Adam, having not been able to test much), and now, we don’t appear to easily reproduce the problem…

 

Regards,

Gavin Younger,

University of Newcastle-upon-Tyne, UK

 

 

From: David Verdin [mailto:address@concealed]
Sent: 24 September 2010 12:46
To: Adam Bernstein
Cc: address@concealed
Subject: Re: [sympa-dev] session problems continued, and fixed

 

Hi Adam,

Yes, Sympa is developped on mod_fcgid. During a short period, we stopped supporting mod_fastcgi but it went back under development, so it looked like a good choice again.
On our production server we use mod_fcgid and nvere-ever had any problem with sessions. So it could be a good culprit for this problem.

So here's what we'll do:
1- We'll advertise to sympa-announce that a potential threat to session management can be suppressed if the admins switch from mod_fastcgi mod_fcgid - with detailed informations on how to switch.
2- We'll post a detailed report to the mod_fastcgi developpers about the problem encountered, the versions on which the problem was observed and anything we can find that could help them debug this. Because frankly it would be a shame that this nice mod would be banned from Sympa because of this problem.

Thanks for your feedback! It helped indeed. ;)

Regards,

David

Le 23/09/2010 23:06, Adam Bernstein a écrit :

Hey all.  We were still having weird problems with session management even after applying that recent fix, including cross-talk between different virtual robots and between SSL and non-SSL connections.

So, I just tried switching from mod_fastcgi to mod_fcgid, and although I haven't been able to do a lot of testing yet, I think that seems to have fixed it.  I'm crossing my fingers and hoping.

Is Sympa being developed now on mod_fcgid?  If so, I think the best solution here is probably for you to no longer advertise compatibility with mod_fastcgi, which seems to do some bad things with sessions, and require everyone to move to mod_fcgid.  It was a *very* easy transition for me.

I hope this helps.

    adam

 

--
David Verdin
Comité réseau des universités

Due to the limitations of human brain, I fail to remember all the mails.
So if you want your bug reports or feature requests for Sympa to be processed, please post them to the Sympa tracker