The mailing list for listmasters using Sympa

[<address@concealed>]

Hi David,

Is this the same vulnerability that was fixed in 6.1.11, or is it slightly
different?

Thanks,
Kristina

Hi Ramon,

The security advisory you mention was related to archive management (the part
wehre you can download and/or delete archives).

>Actually, I just fixed some security issues related to this kind of troubles
and on my own stable server, this problem doesn't show.
So I'll definitely tag a 6.1.17 (seamless upgrade) and you'll be able to get
rid of this problem.

Regards,

David


Le 04/02/13 16:18, address@concealed a écrit :

We've recently migrated our mailing list servers to sympa. We started with
6.1.16 source tarball. Thanks for this project.

Now we realized a vulnerability which allow anonymous access to private lists.
To reproduce, please follow this url (we've got from someone on twitter having
fun on that, which is embarrassing):

https://t.co/931C0fv2

It links straight to a message from a private archive list, which can be seen
by everyone without login, and once there, you can navigate also to other
messages in the same month.

If you walk-in into de mail list archive without login, you're unable to do
so.

In short, by just having a link to a mail archive, you're able to see that
message as well as many others, So doesn't seem the expected behaviour right?

By looking into already known security advices
(http://www.sympa.org/security_advisories), it seems that the last similar
vulnerability was fixed on 6.1.11, but we are on 6.1.16.

Thanks,
Ramon.




--
A bug in Sympa? Quick! To the bug tracker!
        David Verdin
Services Applicatifs aux Utilisateurs
Tel. +33 2 23 23 69 71