2018-001 Security flaws in template editing

The Sympa Community
2018-07-03 (Update)

Synopsis

A fix is available for a vulnerability discovered in Sympa web interface.

Systems Affected

• All versions prior to Sympa 6.2.32

Problem Description

A vulnerability has been discovered in Sympa web interface that allows write access to files on the server filesystem.

This flaw allows to create or modify any file writable by the Sympa user, located on the server filesystem, using the function of Sympa web interface template file saving.

Impact

Possibility to create or modify files on the server filesystem.

Workarounds

Users who can't upgrade to the latest version have the following workaround solution: Disable access to corresponding function through the web interface.

• Configure HTTP server to deny access to the location under <wwsympa_url>/savefile/. For more details consult documentation of HTTP server you are using.

Solution

• Upgrade to version 6.2.32

  • Source distribution: sympa-6.2.32.tar.gz
  • Binary distributions: Check release information by distributors.

or

• Apply a patch

  • For 6.2.28 to 6.2.30: sympa-6.2.30-sa-2018-001.patch
  • For 6.2.4 to 6.2.24: sympa-6.2.24-sa-2018-001.patch
  • For 6.2 to 6.2.3: sympa-6.2.3-sa-2018-001.patch
  • For 6.1.x: sympa-6.1.25-sa-2018-001-r1.0.patch

  Download appropriate patch file and save it in your server. Move into the directory where wwsympa.fcgi is installed, and apply patch:

  # patch -p1 < sympa-6.2.XX-sa-2018-001.patch
  

  Then restart web interface.

Versions prior to 6.2 are no longer maintained. Users of these versions should upgrade to 6.2.32 to prevent potential attacks.

CVE Numbers

CVE-2018-1000550

References

• Sympa 6.2.32 announce

Acknowledgements

The security flaw this advisory describes was reported by Michael Kaczmarczik, UT Austin ITS, Systems Enterprise Services, working with the UT Austin Information Security Office.

This advisory was published with assistance by CERT RENATER.

Change log

• 2018-04-19

  Initial version published

• 2018-07-03

  Updated

  • Solution: Adding links to patches for versions earlier than 6.2.4.
  • Acknowledgements: Creating section.
  • CVE Numbers: CVE-2018-1000550 was assigned.