search

sympa-community / sympa

Sympa, Mailing List Management Software
https://www.sympa.community/sympa
GNU General Public License v2.0
237 stars 95 forks source link

[Security] Autologin using one_time_ticket #1724

Closed tntteam closed 9 months ago

tntteam commented 9 months ago

Hello,

This is not a "bug" but more a security concern. SYMPA generates a one_time_ticket link when sending emails waiting to be moderated. THese links looks like http://domain/sympa/ticket/xxxxxxxxxxxxxx Allows to review / validate / reject the message waiting to be moderated.

But, this is my main concern, it also auto authenticates you to the sympa web interface.

Someone intercepting this moderation email is authenticated as the user and this should not happen. Because with this you can manage the list, post to the list as the user and so on.

This one time link is also kinda weak for an autologin link (14 random numbers).

Version

Installation method

Expected behavior

This link should allow you to manage the email waiting to be moderated and nothing more. It should not gives you a valid user session.

Actual behavior

This link autologins you to the user session and gives you all its user rights.

Steps to reproduce

Additional information

tntteam commented 9 months ago

Edit : seems it has been fixed in recent versions, my bad !

ikedas commented 9 months ago

A duplicate of #156.