The Sympa Community 2021-01-06 (Update)
A fix is available for defects in the access restriction of Sympa SOAP/HTTP interface.
- All versions of Sympa prior to 6.2.60
Defects has been discovered in authenticateAndRun call of
Sympa SOAP/HTTP interface by which access restriction can be bypassed,
and therefore these things are allowed:
- bogus session ID
- the session ID which belongs to different user
As a result, any SOAP call can be executed.
For more details see References.
This problem does not apply to environments where the SOAP/HTTP server
(sympa_soap_server.fcgi) is not running.
Attacker can execute any SOAP call by privileges of any Sympa accounts.
- Currently no workarounds are known except shutting down SOAP/HTTP service.
-
Upgrade Sympa to version 6.2.60 or later
- Source distribution: sympa-6.2.60.tar.gz
- Binary distributions: Check release information by distributors.
or, if you have installed Sympa using earlier version of source distribution,
-
Apply a patch:
Patch for Sympa 6.2.28 to 6.2.58: sympa-6.2.58-sa-2020-003-r1.patch
Patch for Sympa 6.2 to 6.2.24: sympa-6.2.24-sa-2020-003-r1.patch
Patch for Sympa 6.1.25: sympa-6.1.25-sa-2020-003-r1.patch
- GitHub issue sympa-community/sympa#1041: Unauthorised full access via SOAP API due to illegal cookie
- Sympa 6.2.60 announce
The security flaw was initially reported by Stefan Brenner.
-
2021-01-04
Initial version published.
-
2021-01-06
Solution: Added reference to patches for version 6.2.24 or earlier.