Your message dated Sat, 28 Nov 2020 17:06:00 +0000
with message-id <[email protected]>
and subject line Bug#976020: fixed in sympa 6.2.58~dfsg-2
has caused the Debian Bug report #976020,
regarding Unauthorized access to review call of the SOAP API
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
976020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: sympa
version: 6.2.58~dfsg-2
severity: important
tags: security
forwarded: https://github.com/sympa-community/sympa/issues/1041
It is possible to retrieve the email addresses of a list through the SOAP API
without proper authentication.
This requires the following knowledge:
- name of the list
- email of an user that is allowed to see the email addresses OR a valid
session id
The SOAP API is not activated with the default Debconf settings.
Patch attached.
Regards
Racke
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
commit 52157b54583e2052cfc1625a7311f80c94f3aed9
Author: Stefan Hornburg (Racke) <[email protected]>
Date: Fri Nov 27 23:28:14 2020 +0100
Properly check email and session id in authenticateAndRun SOAP call (#1041).
diff --git a/src/lib/Sympa/WWW/SOAP.pm b/src/lib/Sympa/WWW/SOAP.pm
index 188a8b221..735963dc4 100644
--- a/src/lib/Sympa/WWW/SOAP.pm
+++ b/src/lib/Sympa/WWW/SOAP.pm
@@ -321,19 +321,16 @@ sub authenticateAndRun {
## session_table instead
my $session =
Sympa::WWW::Session->new($ENV{'SYMPA_ROBOT'}, {cookie => $cookie});
- if (defined $session) {
- $email = $session->{'email'};
- $session_id = $session->{'id_session'};
- }
- unless ($email or $email eq 'unknown') {
- $log->syslog('err', 'Failed to authenticate user with session ID %s',
- $session_id);
+
+ unless (defined $session && ! $session->{'new_session'} && $session->{'email'} eq $email) {
+ $log->syslog('err', 'Failed to authenticate user %s with session ID %s',
+ $email, $cookie);
die SOAP::Fault->faultcode('Client')
->faultstring('Could not get email from cookie')->faultdetail('');
}
$ENV{'USER_EMAIL'} = $email;
- $ENV{'SESSION_ID'} = $session_id;
+ $ENV{'SESSION_ID'} = $session->{'id_session'};
no strict 'refs';
$service->($self, @$parameters);
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: sympa
Source-Version: 6.2.58~dfsg-2
Done: Stefan Hornburg (Racke) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <[email protected]> (supplier of updated sympa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 28 Nov 2020 15:41:21 +0100
Source: sympa
Architecture: source
Version: 6.2.58~dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian Sympa team <[email protected]>
Changed-By: Stefan Hornburg (Racke) <[email protected]>
Closes: 976020
Changes:
sympa (6.2.58~dfsg-2) unstable; urgency=low
.
* Apply patch to fix unauthorized access to review call of the SOAP API
(Closes: #976020).
* Add debconf-updatepo to clean target.
.
[ Sylvain Beucler ]
* Ask the user whether they want/need sympa_newaliases-wrapper to
be setuid root (CVE-2020-26880 mitigation)
Checksums-Sha1:
413e726ac7b514d033b0af303f81da30e8860e97 2517 sympa_6.2.58~dfsg-2.dsc
49f3e19bc9212ddd040d1ede87db7ea0164e6f9e 166160
sympa_6.2.58~dfsg-2.debian.tar.xz
a0c848e13c4e335c541052ef9a85cda600a26e1a 14974
sympa_6.2.58~dfsg-2_amd64.buildinfo
Checksums-Sha256:
61b1235c7ee3f11260e6dc726c909bf4e758c6daa992f10624bad12c617f185f 2517
sympa_6.2.58~dfsg-2.dsc
afc5bc31ee2f86144fd139f7326a7a2e4734cda6fd42a09e62692210340b679b 166160
sympa_6.2.58~dfsg-2.debian.tar.xz
2ee6f69a42db704ab903b817223b0daf21fdc0d2a7cf656b4915988c18222684 14974
sympa_6.2.58~dfsg-2_amd64.buildinfo
Files:
5bb428617f74d99d8235880b4436ae08 2517 mail optional sympa_6.2.58~dfsg-2.dsc
b236330ab79717d39197dff82a1444d3 166160 mail optional
sympa_6.2.58~dfsg-2.debian.tar.xz
e997cdbc99109915b2dd0e95325c2f00 14974 mail optional
sympa_6.2.58~dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1oFJdaJ3d0yY0N/vW5MBW/onIPgFAl/CfU0RHHJhY2tlQGxp
bnV4aWEuZGUACgkQW5MBW/onIPitSxAAu6OWyZ0P9oFuyY6lwPrrrZnBonujoTF7
HneXZ9SFQVDQWEfihAruDw+yYjP3UtSq9Ytp9uq4BcaLMJuuBUT8kKgtYx96LY2U
UN/j3z8CuA+wbgaJ+j3f/jxS1bd1ht77ZVxjodxXRr65wb3IjbB7w6O2SVso74fT
Vcd9iKBMItlHA8w5OH9rzQnuRnr0nEModyozggZGqcTo0JGZIwlQ54yPE/NGdjuv
FBg3CRWJT/1vX0Pnkpp/wvB21c0iZi4nx+t8WjqlTj7exVj6kYuebASTMgPAQ45K
kIWGsAPt/A1n+HhMC8HSTOP5/FjtBO5dZhPHvzx2/7I8Y+tHf801d/CsQZRsYt86
LV91/rvYfu/Yw+4tohkkIaVLUsiNPiP7Fa6F/8gcV7ZLpdNz9mSmfc21No66wfyK
DK4OCR7fFJQWwwA3XNu8yrADNxhsk9HKmQRruKLrk+dSi26PhkX85sQ7NMD5ZUCw
/wzAwn9aTmPmAtPAeZZl94VTaohQvcBP7MPCMpFxWLUf2XBb0exYpsuh2Q8FOVI/
Hoqiep63YfrEzzcRwfLT9WwAgzzOfSmfIm2Qn7urpk01iPulSVOQImqwO5Z9O0ZU
zT+6m8zres5y2VDALjcComFGPVOWb0VgcFETpLPr+bIYE7A7Kl/NWu/g5xf89VvK
iUdsW54WD/M=
=opGD
-----END PGP SIGNATURE-----
--- End Message ---
