====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN095
_____________________________________________________________________

DATE                : 25/02/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Sympa versions prior to 6.2.54.

=====================================================================
https://sympa-community.github.io/security/2020-001.html
_____________________________________________________________________

2020-001 Security flaws in CSRF prevension

The Sympa Community 2020-02-24 (Update)


Synopsis

A fix is available for a vulnerability discovered in Sympa web
interface.


Systems Affected

    Sympa version 6.2.38 to 6.2.52 inclusive.


Problem Description

A vulnerability has been discovered in Sympa web interface that can
cause denial of service (DoS) attack.

By submitting requests with malformed parameters, this flaw allows to
create junk files in Sympa’s directory for temporary files. And
particularly by tampering token to prevent CSRF, it allows to originate
exessive notification messages to listmasters.


Impact

Possibility of denial of service (DoS) because of disk full or flooding
messages.


Workarounds

No workaround is known at the present.


Solution

    Upgrade to version 6.2.54
        Source distribution: sympa-6.2.54.tar.gz
        Binary distributions: Check release information by distributors.

or

    Apply a patch
        sympa-6.2.52-sa-2020-001.patch

    Download appropriate patch file and save it in your server. Move
into the directory where wwsympa.fcgi is installed, and apply patch:

     # patch -p1 < sympa-6.2.XX-sa-2020-001.patch

    Then restart web interface.


CVE Numbers

CVE-2020-9369


References

    GitHub issue sympa-community/sympa#886: Security flaws in CSRF
prevension

    Sympa 6.2.54 announce


Acknowledgements

The security flaw this advisory describes was reported by Javier Moreno.


Change log

    2020-02-24

    Initial version published.

    2020-02-24

    CVE numbers: CVE-2020-9369 was assigned.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================