search

sympa-community / sympa

Sympa, Mailing List Management Software
https://www.sympa.community/sympa
GNU General Public License v2.0
241 stars 95 forks source link

"Hacker" script poking at wwsympa sso_login generates lots of email to listmaster #1654

Closed dpc22 closed 1 year ago

dpc22 commented 1 year ago

Version

6.2.70

Installation method

My own RPM, derived from "offical" RHEL rpm

Expected behavior

wwsympa shouldn't generate notification emails to listmaster just because an unknown Web client submitted a HTTP GET or POST with invalid parameters: that is outside our control.

Actual behavior

I received about 120 messages of the form:

Subject: Listmaster: internal server error
Date: Mon, 3 Apr 2023 06:27:51 +0100
From: SYMPA <sympa@lists.cam.ac.uk>
To: Listmaster <listmaster@lists.cam.ac.uk>

 User  has encountered an internal server error
(Web interface - ACTION: sso_login):

no_identified_user

See the logs for more details.

this morning. These seem to correspond to:

Apr 3 06:24:21 lists-1 wwsympa[18195]: err main::#1258 > main::get_parameters#2120 [robot lists.cam.ac.uk] [client 193.29.13.232] Syntax error for parameter list value "1');SELECT PG_SLEEP(5)--" not conform to regexp:[\w-.+]*

Apr 3 06:24:21 lists-1 wwsympa[18195]: info main::do_sso_login(ucam_federation) [robot lists.cam.ac.uk] [session 98056035778494] [client 193.29.13.232]

Apr 3 06:24:21 lists-1 wwsympa[18195]: err main::#1557 > main::do_sso_login#3597 [robot lists.cam.ac.uk] [session 98056035778494] [client 193.29.13.232] User could not be identified, no mail HTTP header set

Apr 3 06:24:21 lists-1 wwsympa[18195]: info main::do_home() [robot lists.cam.ac.uk] [session 98056035778494] [client 193.29.13.232]

("User could not be identified, no mail HTTP header set" seems to be significant. wwsympa logged about 5000 attempted SQL injection attacks, but only a small fraction generated emails).

Additional information

This is related to a ticket that I opened about 18 months back: https://github.com/sympa-community/sympa/issues/1244

While the denial of service attack element seems to have been fixed (that was definitely the more important aspect), it looks like people poking at sso_login can still generate emails to listmaster.

ikedas commented 1 year ago

Hi @dpc22, Could you please check the PR above?

dpc22 commented 1 year ago 
-          add_stash('intern', 'no_identified_user');
+         add_stash('user', 'no_identified_user');

certainly looks plausible if "intern" is the cause of the messages to listmaster. Thank you.

ikedas commented 1 year ago

I agree. I don't think it's a good idea to send emergency notices to administrators via email.

racke commented 1 year ago

Fail2ban or similar is the better tool to cope with incoming crap.