Skip to content

[CVE-2020-29668] Unauthorised full access via SOAP API due to illegal cookie #1041

Closed
@balert

Description

@balert

Version

v6.2.56-1.el7 on Centos 7.8.2003

Installation method

Centos package

Expected behavior

permission denied

Actual behavior

error message and action actually executed anyways.

Additional information

In our setup we have a problem with incorrect cookies via the SOAP API of sympa.
If the SOAP request contains a correct cookie everything works as expected -> request executed
If the SOAP request contains a correct but outdated cookie, everything works as expected -> request correctly denied.

If the SOAP request contains an arbitrary string as cookie (e.g. "asdkjasdljkahsdlkjh"), SOAP replies with an error ("Undefined session ID in cookie") but STILL executes every requests we make. By this we can add email adresses to lists without authentication, any operation we tried was still successful.

We could hotfix the problem by inserting a die(); command into /usr/share/sympa/lib/Sympa/WWW/Session.pm:129 like this:

    my $session_id = _cookie2id($cookie);
    unless ($session_id) {
        $log->syslog('info', 'Undefined session ID in cookie "%s"', $cookie);
        die('nothing');
        return undef;
    }

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions