2020-001 Security flaws in CSRF prevension

The Sympa Community 2020-02-24 (Update)

Synopsis

A fix is available for a vulnerability discovered in Sympa web interface.

Systems Affected

• Sympa version 6.2.38 to 6.2.52 inclusive.

Problem Description

A vulnerability has been discovered in Sympa web interface that can cause denial of service (DoS) attack.

By submitting requests with malformed parameters, this flaw allows to create junk files in Sympa's directory for temporary files. And particularly by tampering token to prevent CSRF, it allows to originate exessive notification messages to listmasters.

Impact

Possibility of denial of service (DoS) because of disk full or flooding messages.

Workarounds

No workaround is known at the present.

Solution

• Upgrade to version 6.2.54

  • Source distribution: sympa-6.2.54.tar.gz
  • Binary distributions: Check release information by distributors.

or

• Apply a patch

  • sympa-6.2.52-sa-2020-001.patch

  Download appropriate patch file and save it in your server. Move into the directory where wwsympa.fcgi is installed, and apply patch:

  # patch -p1 < sympa-6.2.XX-sa-2020-001.patch
  

  Then restart web interface.

CVE Numbers

CVE-2020-9369

References

• GitHub issue sympa-community/sympa#886: Security flaws in CSRF prevension
• Sympa 6.2.54 announce

Acknowledgements

The security flaw this advisory describes was reported by Javier Moreno.

Change log

• 2020-02-24

  Initial version published.

• 2020-02-24

  CVE numbers: CVE-2020-9369 was assigned.