Subject: The mailing list for listmasters using Sympa
List archive
Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives
- From: David Verdin <address@concealed>
- To: address@concealed
- Subject: Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives
- Date: Tue, 05 Feb 2013 22:05:10 +0100
|
Hi Kristina, No this isn't the same vulnerability. In the 6.1.11, it was related to archive management. What Ramon reports is related to archive access. I can't reproduce his bug with the 6.1.17. We'll see if, with his setting, the same result is obtained. It could also be a simple configuration trouble. What the 6.1.17 fixes is a pottential workaround of lists visibility. Regards, David Le 05/02/2013 21:53, address@concealed
a écrit :
Hi David, Is this the same vulnerability that was fixed in 6.1.11, or is it slightly different? Thanks, Kristina Hi Ramon, The security advisory you mention was related to archive management (the part wehre you can download and/or delete archives). Actually, I just fixed some security issues related to this kind of troubles and on my own stable server, this problem doesn't show. So I'll definitely tag a 6.1.17 (seamless upgrade) and you'll be able to get rid of this problem. Regards, David Le 04/02/13 16:18, address@concealed a écrit : We've recently migrated our mailing list servers to sympa. We started with 6.1.16 source tarball. Thanks for this project. Now we realized a vulnerability which allow anonymous access to private lists. To reproduce, please follow this url (we've got from someone on twitter having fun on that, which is embarrassing): https://t.co/931C0fv2 It links straight to a message from a private archive list, which can be seen by everyone without login, and once there, you can navigate also to other messages in the same month. If you walk-in into de mail list archive without login, you're unable to do so. In short, by just having a link to a mail archive, you're able to see that message as well as many others, So doesn't seem the expected behaviour right? By looking into already known security advices (http://www.sympa.org/security_advisories), it seems that the last similar vulnerability was fixed on 6.1.11, but we are on 6.1.16. Thanks, Ramon. -- A bug in Sympa? Quick! To the bug tracker! David Verdin Services Applicatifs aux Utilisateurs Tel. +33 2 23 23 69 71 |
-
[sympa-users] Vulnerability on 6.1.16 allow access private archives,
ramon.roca, 02/04/2013
-
Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives,
David Verdin, 02/05/2013
-
Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives,
kclair, 02/05/2013
- Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives, David Verdin, 02/05/2013
-
Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives,
kclair, 02/05/2013
- <Possible follow-up(s)>
- Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives, Ramon Roca, 02/05/2013
-
Re: [sympa-users] Vulnerability on 6.1.16 allow access private archives,
David Verdin, 02/05/2013
Archive powered by MHonArc 2.6.19+.