Bug#952428: Security flaws in CSRF prevention

[Stefan Hornburg (Racke)]

package: sympa
severity: critical
version: 6.2.40~dfsg-3
tags: patch

A vulnerability has been discovered in Sympa web interface that can
cause denial of service (DoS) attack.

By submitting requests with malformed parameters, this flaw allows to
create junk files in Sympa's directory for temporary files.  And
particularly by tampering token to prevent CSRF, it allows to originate
excessive notification messages to listmasters.

Full advisory:

https://sympa-community.github.io/security/2020-001.html

Regards
           Racke

-- 
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.

From 9b86fb3f0337d70221d63392db7d1a52b439dc8f Mon Sep 17 00:00:00 2001
From: IKEDA Soji <ik...@conversion.co.jp>
Date: Tue, 11 Feb 2020 17:52:22 +0900
Subject: [PATCH] Sympa SA 2020-001 (candidate).  Denial of service caused by
 malformed CSRF token.

---
 src/cgi/wwsympa.fcgi.in | 25 +++----------------------
 1 file changed, 3 insertions(+), 22 deletions(-)

diff --git a/src/cgi/wwsympa.fcgi.in b/src/cgi/wwsympa.fcgi.in
index 2eb8aec..c7b5195 100644
--- a/src/cgi/wwsympa.fcgi.in
+++ b/src/cgi/wwsympa.fcgi.in
@@ -992,9 +992,6 @@ our %in_regexp = (
 
     # Role
     'role' => 'member|editor|owner',
-
-    ## CSRF token is a lower case MD5 hash
-    'csrftoken' => '^[0-9a-f]{32}$',
 );
 
 ## Regexp applied on incoming parameters (%in)
@@ -1262,8 +1259,6 @@ while ($query = CGI::Fast->new) {
     # affected to another anonymous session.
     undef $ENV{'HTTP_COOKIE'};
     unless (defined $session) {
-        Sympa::send_notify_to_listmaster($robot,
-            'failed_to_create_web_session', {});
         wwslog('info', 'Failed to create session');
         $session = Sympa::WWW::Session->new($robot, {});
     }
@@ -2149,32 +2144,18 @@ sub get_parameters {
             if ($one_p !~ /^$regexp$/s
                 || (defined $negative_regexp && $one_p =~ /$negative_regexp/s)
             ) {
-                ## Dump parameters in a tmp file for later analysis
-                my $dump_file =
-                      Conf::get_robot_conf($robot, 'tmpdir')
-                    . '/sympa_dump.'
-                    . time . '.'
-                    . $PID;
-                unless (open DUMP, ">$dump_file") {
-                    wwslog('err', 'Failed to create %s: %s',
-                        $dump_file, $ERRNO);
-                }
-                Sympa::Tools::Data::dump_var(\%in, 0, \*DUMP);
-                close DUMP;
-
                 Sympa::WWW::Report::reject_report_web('user', 'syntax_errors',
                     {p_name => $p},
                     '', '');
                 wwslog(
                     'err',
-                    'Syntax error for parameter %s value "%s" not conform to regexp:%s; dumped vars in %s',
+                    'Syntax error for parameter %s value "%s" not conform to regexp:%s',
                     $pname,
                     $one_p,
-                    $regexp,
-                    $dump_file
+                    $regexp
                 );
                 $in{$p} = '';
-                next;
+                last;
             }
         }
     }
-- 
1.8.3.1

signature.asc
Description: OpenPGP digital signature