2015-001 Security breaches in newsletter posting (CVE-2015-1306)

CVE number: CVE-2015-1306

1. Threat

Possibility to access files on the server filesystem.

2. Systems Affected

All Sympa branches are affected.

• In branch 6.0, all versions prior to 6.0.10

• In branch 6.1, all versions prior to 6.1.24

3. Summary

A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem.

This breach allows to send to a list or a user any file readable by the Sympa user, located on the server filesystem, using the Sympa web interface newsletter posting area.

4. Solution

• branch 6.1 : upgrade to version 6.1.24

• branch 6.0 : upgrade to version 6.0.10

Users who can't upgrade to the latest versions have the following workaround solution: prevent mail sending through the web interface.

• copy </home_sympa>/default/web_tt2/compose_mail.tt2 to </home_sympa>/etc/web_tt2/compose_mail.tt2

• Replace content of the file by an HTML fragment telling that posting through the web interface has been temporarily forbidden for security reasons.

Older versions are no longer maintained. Users of this version should upgrade to 6.1.24 or 6.0.10 to prevent potential attacks.

5 - Links

• CVE description on Debian web site

• Sympa repository for RHEL - useful for upgrade on Redhat family OS

• Sympa 6.0.10 and 6.1.24 announce

• Release announce on the Sympa web site