Subject: The mailing list for listmasters using Sympa
List archive
[sympa-users] Vulnerability on 6.1.16 allow access private archives
- From: <address@concealed>
- To: address@concealed
- Subject: [sympa-users] Vulnerability on 6.1.16 allow access private archives
- Date: Mon, 04 Feb 2013 16:18:44 +0100
We've recently migrated our mailing list servers to sympa. We started with
6.1.16 source tarball. Thanks for this project.
Now we realized a vulnerability which allow anonymous access to private lists.
To reproduce, please follow this url (we've got from someone on twitter having
fun on that, which is embarrassing):
https://t.co/931C0fv2
It links straight to a message from a private archive list, which can be seen
by everyone without login, and once there, you can navigate also to other
messages in the same month.
If you walk-in into de mail list archive without login, you're unable to do
so.
In short, by just having a link to a mail archive, you're able to see that
message as well as many others, So doesn't seem the expected behaviour right?
By looking into already known security advices
(http://www.sympa.org/security_advisories), it seems that the last similar
vulnerability was fixed on 6.1.11, but we are on 6.1.16.
Thanks,
Ramon.
-
[sympa-users] Vulnerability on 6.1.16 allow access private archives,
ramon.roca, 02/04/2013
-
Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives,
David Verdin, 02/05/2013
-
Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives,
kclair, 02/05/2013
- Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives, David Verdin, 02/05/2013
-
Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives,
kclair, 02/05/2013
- <Possible follow-up(s)>
- Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives, Ramon Roca, 02/05/2013
-
Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives,
David Verdin, 02/05/2013
Archive powered by MHonArc 2.6.19+.