Developers of Sympa

[MDT Evans <address@concealed>]

Hi David,

The issue is that whilst our new sympa 6.1.24 installation was being
security scanned all kinds of weird and wonderful subtopics appeared on
our list home page.

We found that constructing a url of the form allowed insertion of
subtopics:

http://host./sympa/lists/<existing_topic>/<anything>

So for example if we have an *existing* news topic we can inject
"MartinWasHere" as a subtopic and it is displayed on the main page with
this URL (unauthenticated from anywhere):

http://138.37.XXX.XXX/sympa/lists/news/MartinWasHere

The topics can be reset to normal by touching or rewriting the topics
file.

I have done a very simple hack (below) on our production sympa install
that causes the topics file to be re-read every time instead of caching
it. This clears out the symptoms and thus prevents vandalism of our main
page.

However, I suspect that this is not the right fix and there's something
else in the perl that is inadvertently altering the topics data that I
don't have the experience to find and fix.

Heres my hack:

# diff -u List.pm.0 List.pm
--- List.pm.0   2016-03-16 12:41:41.495189978 +0000
+++ List.pm     2016-03-16 12:43:14.929640611 +0000
@@ -11043,7 +11043,10 @@
     my $topics = {};
 
     ## Load if not loaded or changed on disk
-    if (! $list_of_topics{$robot} || ((stat($conf_file))[9] >
$mtime{'topics'}{$robot})) {
+# MDTE HACK TO FORCE THE LOADING OF TOPICS EVERY TIME.
+#   if (! $list_of_topics{$robot} || ((stat($conf_file))[9] >
$mtime{'topics'}{$robot})) {
+    {
+# MDTE: END OF HACK
 
         ## delete previous list of topics
         %list_of_topics = undef;

We do run a slightly modified version of sympa here at Queen Mary, so I
asked our technical team to set up a vanilla install of 6.1.24 and I was
able to reproduce the problem there also.

We have a development list server also here at QM and I would be happy
to test any patches that are better than mine against that installation
for you.

Hope that helps,
Martin.

On Thu, 2016-03-24 at 14:56 +0100, David Verdin wrote:
> Hi Evans,
> 
> sorry for this late answer - and for not fixing the su problem yet, I
> can't find a good way to do it.
> 
> This list is a good place. We have very few subscribers and most of
> them are Sympa developers, so pluease feel free to post your problem -
> and workaround - here.
> 
> cheers,
> 
> David
> 
> Le 17/03/2016 15:29, MDT Evans (via sympa-developpers Mailing List) a
> écrit :
> 
> > Apologies. It should have been:
> > 
> > > I've found an unauthenticated HTML injection into Sympa 6.1.24 (maybe in
> > > other versions).
> > > 
> > > Can anyone advise on who we can report this to please. I don't really
> > > want to publicise it on this list or on the bug tracker.
> > Also, I have a patch for a possible workaround but would like to know if
> > there is a better approach.
> > 
> > Thanks,
> > Martin.
> > 
> 
> -- 
> A bug in Sympa? Quick! To the bug tracker! 
> RENATER logo
>   
> David Verdin
> Études et projets applicatifs
>   
> 
> Tél : +33 2 23 23 69 71
> Fax : +33 2 23 23 71 21
>   
> www.renater.fr
> 
> RENATER
> 263 Avenue du Gal Leclerc
> 35042 Rennes Cedex
> 
> 
> 
> 

-- 
Dr MDT Evans - Head of Data Centre Services.