====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN164
_____________________________________________________________________

DATE                : 19/04/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Sympa versions prior to 6.2.32.

=====================================================================
https://sympa-community.github.io/security/2018-001.html
_____________________________________________________________________

Latest version is found at
<https://sympa-community.github.io/security/2018-001.html>

2018-001 Security flaws in template editing
===========================================

The Sympa Community
2018-04-19 (Initial version)

Synopsis
--------

A fix is available for a vulnerability discovered in Sympa web
interface.


Systems Affected
----------------

  - All versions prior to Sympa 6.2.32


Problem Description
-------------------

A vulnerability has been discovered in Sympa web interface that
allows write access to files on the server filesystem.

This flaw allows to create or modify any file writable by the Sympa
user, located on the server filesystem, using the function of Sympa
web interface template file saving.


Impact
------

Possibility to create or modify files on the server filesystem.


Workarounds
-----------

Users who can't upgrade to the latest version have the following
workaround solution: Disable access to corresponding function
through the web interface.

  - Configure HTTP server to deny access to the location under
    `<wwsympa_url>/savefile/`.  For more details consult
    documentation of HTTP server you are using.


Solution
--------

  - Upgrade to version 6.2.32

      - Source distribution: [sympa-6.2.32.tar.gz]

<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.32.tar.gz>
      - Binary distributions: Check release information by
        distributors.

or

   - Apply a patch

      - For 6.2.28 to 6.2.30: [sympa-6.2.30-sa-2018-001.patch]

<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.30-sa-2018-001.patch>
      - For 6.2.4 to 6.2.24: [sympa-6.2.24-sa-2018-001.patch]

<https://github.com/sympa-community/sympa/releases/download/6.2.32/sympa-6.2.24-sa-2018-001.patch>

      Download appropriate patch file and save it in your server.  Move
      into the directory where `wwsympa.fcgi` is installed, and apply
      patch:

      # patch -p1 < sympa-6.2.XX-sa-2018-001.patch

      Then restart web interface.

Versions prior to 6.2 are no longer maintained. Users of these
versions should upgrade to 6.2.32 to prevent potential attacks.


CVE Numbers
-----------

Pending.


References
----------

  - [Sympa 6.2.32 announce]
    <https://github.com/sympa-community/sympa/releases/tag/6.2.32>


Change log
----------

  - 2018-04-19: Initial version published

==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================