package: sympa version: 6.2.58~dfsg-2 severity: important tags: security forwarded: https://github.com/sympa-community/sympa/issues/1041
It is possible to retrieve the email addresses of a list through the SOAP API without proper authentication. This requires the following knowledge: - name of the list - email of an user that is allowed to see the email addresses OR a valid session id The SOAP API is not activated with the default Debconf settings. Patch attached. Regards Racke -- Ecommerce and Linux consulting + Perl and web application programming. Debian and Sympa administration. Provisioning with Ansible.
commit 52157b54583e2052cfc1625a7311f80c94f3aed9 Author: Stefan Hornburg (Racke) <ra...@linuxia.de> Date: Fri Nov 27 23:28:14 2020 +0100 Properly check email and session id in authenticateAndRun SOAP call (#1041). diff --git a/src/lib/Sympa/WWW/SOAP.pm b/src/lib/Sympa/WWW/SOAP.pm index 188a8b221..735963dc4 100644 --- a/src/lib/Sympa/WWW/SOAP.pm +++ b/src/lib/Sympa/WWW/SOAP.pm @@ -321,19 +321,16 @@ sub authenticateAndRun { ## session_table instead my $session = Sympa::WWW::Session->new($ENV{'SYMPA_ROBOT'}, {cookie => $cookie}); - if (defined $session) { - $email = $session->{'email'}; - $session_id = $session->{'id_session'}; - } - unless ($email or $email eq 'unknown') { - $log->syslog('err', 'Failed to authenticate user with session ID %s', - $session_id); + + unless (defined $session && ! $session->{'new_session'} && $session->{'email'} eq $email) { + $log->syslog('err', 'Failed to authenticate user %s with session ID %s', + $email, $cookie); die SOAP::Fault->faultcode('Client') ->faultstring('Could not get email from cookie')->faultdetail(''); } $ENV{'USER_EMAIL'} = $email; - $ENV{'SESSION_ID'} = $session_id; + $ENV{'SESSION_ID'} = $session->{'id_session'}; no strict 'refs'; $service->($self, @$parameters);
OpenPGP_signature
Description: OpenPGP digital signature