The mailing list for listmasters using Sympa

[David Verdin <address@concealed>]

Hi Ramon,

The security advisory you mention was related to archive management (the part wehre you can download and/or delete archives).

Actually, I just fixed some security issues related to this kind of troubles and on my own stable server, this problem doesn't show.
So I'll definitely tag a 6.1.17 (seamless upgrade) and you'll be able to get rid of this problem.

Regards,

David

Le 04/02/13 16:18, address@concealed a écrit :

We've recently migrated our mailing list servers to sympa. We started with
6.1.16 source tarball. Thanks for this project.

Now we realized a vulnerability which allow anonymous access to private lists.
To reproduce, please follow this url (we've got from someone on twitter having
fun on that, which is embarrassing):

https://t.co/931C0fv2

It links straight to a message from a private archive list, which can be seen
by everyone without login, and once there, you can navigate also to other
messages in the same month.

If you walk-in into de mail list archive without login, you're unable to do
so.

In short, by just having a link to a mail archive, you're able to see that
message as well as many others, So doesn't seem the expected behaviour right?

By looking into already known security advices
(http://www.sympa.org/security_advisories), it seems that the last similar
vulnerability was fixed on 6.1.11, but we are on 6.1.16.

Thanks,
Ramon.

--
A bug in Sympa? Quick! To the bug tracker!

David Verdin Services Applicatifs aux Utilisateurs Tel. +33 2 23 23 69 71 GIP RENATER

Attachment: smime.p7s
Description: Signature cryptographique S/MIME