search

sympa-community / sympa

Sympa, Mailing List Management Software
https://www.sympa.community/sympa
GNU General Public License v2.0
243 stars 96 forks source link

Does a user has to be owner/editor to confirm the distribution of a message? #1598

Closed qosobrin closed 1 year ago

qosobrin commented 1 year ago

Version

6.2.60

Installation method

Debian Bullseye package

Expected behavior

The confirmation message to distribute a message in a moderated list should only be accepted if the sender of the given confirmation message is one of the owners/editors of the list.

Actual behavior

Only the confirmation code is needed to confirm the distribution of a message in a list, but that code can be sent by any user that is not an owner/editor of the list. That means that any one can moderate a list if he/she has access to the confirmation codes.

Additional information

A moderated list has an editor whose email address is an email alias (every mail sent to that alias address is expanded and delivered to a couple of users, say Mary and John). When someone sends a message to this list, Mary and John receive the confirmation request message in their mailboxes. Mary replies to that confirmation request using her email address as the sender of the confirmation message. The message is distributed in the list.

I wonder if the sender address of this confirmation message should also be evaluated (together with the confirmation code) to distribute/reject a message in a moderated list.

ikedas commented 1 year ago

Either of following send scenarios may request non-admins for confirmation. Especially, confirmation (by the poster) may be combined with moderation (by the moderator).

qosobrin commented 1 year ago

Thank you, @ikedas for your answer but my question is regarding the editorkey process. Apparently the key to approve or reject the delivery of a moderated message can be sent by anyone that does not have any relationship with the list and the key is proccessed as long as it is a valid key. In my opinion, the editorkey process should validate the BOTH the key and the sender of the key.

ikedas commented 1 year ago

Apparently the key to approve or reject the delivery of a moderated message can be sent by anyone that does not have any relationship with the list and the key is proccessed as long as it is a valid key.

I think it’s a security flaw of mail interface of Sympa in its nature by which an attacker can take the privileges of the moderator.

In my opinion, the editorkey process should validate the BOTH the key and the sender of the key.

qosobrin commented 1 year ago

I think it’s a security flaw of mail interface of Sympa in its nature by which an attacker can take the privileges of the moderator.

Shouldn't it be corrected? I understand that it is not a bug, but a flaw like this should have some priority to be corrected or mitigated somehow.

ikedas commented 1 year ago

Is this issue a question or a feature request?

qosobrin commented 1 year ago

A question; consider it answered.