[CVE-2020-29668] Unauthorised full access via SOAP API due to illegal cookie
Created by: balert
Version
v6.2.56-1.el7 on Centos 7.8.2003
Installation method
Centos package
Expected behavior
permission denied
Actual behavior
error message and action actually executed anyways.
Additional information
In our setup we have a problem with incorrect cookies via the SOAP API of sympa. If the SOAP request contains a correct cookie everything works as expected -> request executed If the SOAP request contains a correct but outdated cookie, everything works as expected -> request correctly denied.
If the SOAP request contains an arbitrary string as cookie (e.g. "asdkjasdljkahsdlkjh"), SOAP replies with an error ("Undefined session ID in cookie") but STILL executes every requests we make. By this we can add email adresses to lists without authentication, any operation we tried was still successful.
We could hotfix the problem by inserting a die(); command into /usr/share/sympa/lib/Sympa/WWW/Session.pm:129 like this:
my $session_id = _cookie2id($cookie);
unless ($session_id) {
$log->syslog('info', 'Undefined session ID in cookie "%s"', $cookie);
die('nothing');
return undef;
}