package: sympa version: 6.2.58~dfsg-2 severity: important tags: security forwarded: https://github.com/sympa-community/sympa/issues/1041
It is possible to retrieve the email addresses of a list through the SOAP API
without proper authentication.
This requires the following knowledge:
- name of the list
- email of an user that is allowed to see the email addresses OR a valid
session id
The SOAP API is not activated with the default Debconf settings.
Patch attached.
Regards
Racke
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
commit 52157b54583e2052cfc1625a7311f80c94f3aed9
Author: Stefan Hornburg (Racke) <ra...@linuxia.de>
Date: Fri Nov 27 23:28:14 2020 +0100
Properly check email and session id in authenticateAndRun SOAP call (#1041).
diff --git a/src/lib/Sympa/WWW/SOAP.pm b/src/lib/Sympa/WWW/SOAP.pm
index 188a8b221..735963dc4 100644
--- a/src/lib/Sympa/WWW/SOAP.pm
+++ b/src/lib/Sympa/WWW/SOAP.pm
@@ -321,19 +321,16 @@ sub authenticateAndRun {
## session_table instead
my $session =
Sympa::WWW::Session->new($ENV{'SYMPA_ROBOT'}, {cookie => $cookie});
- if (defined $session) {
- $email = $session->{'email'};
- $session_id = $session->{'id_session'};
- }
- unless ($email or $email eq 'unknown') {
- $log->syslog('err', 'Failed to authenticate user with session ID %s',
- $session_id);
+
+ unless (defined $session && ! $session->{'new_session'} && $session->{'email'} eq $email) {
+ $log->syslog('err', 'Failed to authenticate user %s with session ID %s',
+ $email, $cookie);
die SOAP::Fault->faultcode('Client')
->faultstring('Could not get email from cookie')->faultdetail('');
}
$ENV{'USER_EMAIL'} = $email;
- $ENV{'SESSION_ID'} = $session_id;
+ $ENV{'SESSION_ID'} = $session->{'id_session'};
no strict 'refs';
$service->($self, @$parameters);
OpenPGP_signature
Description: OpenPGP digital signature
