"Hacker" script poking at wwsympa generates lots of email to listmaster.

[dpc22]

Version

6.2.66

Installation method

My own RPM, derived from "offical" RHEL rpm

Expected behavior

wwsympa shouldn't generate notification emails to listmaster just because an unknown Web client submitted a HTTP GET or POST with invalid parameters: that is outside our control.

Actual behavior

Someone in China fired up a script which attempted random SQL injection attacks against wwsympa: I don't have evidence of a targetted attack.

We received 429 "Listmaster: internal server error" messages this morning in the space of 20 minutes, until I blocked the IP address in question.

I think that these are largely linked to do_sso_login() with a random nonsense value for the authentication service parameter ("bxss.me"/"2on0943dg8uk.php"). There is an awful lot of "not conform to regex", but I hope those aren't generating emails.

Here are two examples:

Oct  6 08:26:57 lists-1 wwsympa[11355]: info main::do_sso_login(ucam_federation) [robot lists.cam.ac.uk] [session 87111373342364] [client 221.7.44.98] [list cs-ds-info] 
Oct  6 08:26:57 lists-1 wwsympa[11355]: info main::do_sso_login() [robot lists.cam.ac.uk] [session 87111373342364] [client 221.7.44.98] [list cs-ds-info] POST request processing
Oct  6 08:26:57 lists-1 wwsympa[11355]: info main::do_sso_login() [robot lists.cam.ac.uk] [session 87111373342364] [client 221.7.44.98] [list cs-ds-info] Redirect user to https://lists.cam.ac.uk/sympa/sso_login/ucam_federation/init
Oct  6 08:26:57 lists-1 wwsympa[11355]: err main::#1260 > main::get_parameters#2153 [robot lists.cam.ac.uk] [client 221.7.44.98] Syntax error for parameter csrftoken value "action_login=Login" not conform to regexp:[\w\-\.]+
Oct  6 08:26:57 lists-1 wwsympa[11355]: info main::do_sso_login(bxss.me) [robot lists.cam.ac.uk] [session 87111373342364] [client 221.7.44.98] [list cs-ds-info] 
Oct  6 08:26:58 lists-1 wwsympa[11355]: notice Sympa::Spindle::ProcessTemplate::_twist() Processing Sympa::Message::Template <[email protected],5651/shelved:dkim_sign>; [email protected]; [email protected]; recipients=ARRAY; [email protected]; template=listmaster_notification; type=web_intern_error; action=Command process
Oct  6 08:26:58 lists-1 wwsympa[11355]: notice Sympa::Spool::Outgoing::store() Message Sympa::Message::Template <[email protected],5651/shelved:dkim_sign> is stored into bulk spool as <[email protected]_s,11355,4955>
Oct  6 08:26:58 lists-1 wwsympa[11355]: err main::#1563 > main::do_sso_login#3735 [robot lists.cam.ac.uk] [session 87111373342364] [client 221.7.44.98] [list cs-ds-info] Unknown authentication service bxss.me

Oct  6 08:27:02 lists-1 wwsympa[11355]: info main::do_home() [robot lists.cam.ac.uk] [session 87111373342364] [client 221.7.44.98] [list cs-ds-info] 
Oct  6 08:27:03 lists-1 wwsympa[11355]: info main::do_subscribe() [robot lists.cam.ac.uk] [session 87111373342364] [client 221.7.44.98] [list cs-ds-info] 
Oct  6 08:27:03 lists-1 wwsympa[11355]: info main::do_sso_login(2on0943dg8uk.php) [robot lists.cam.ac.uk] [session 87111373342364] [client 221.7.44.98] 
Oct  6 08:27:04 lists-1 wwsympa[11355]: notice Sympa::Spindle::ProcessTemplate::_twist() Processing Sympa::Message::Template <[email protected],7065/shelved:dkim_sign>; [email protected]; [email protected]; recipients=ARRAY; [email protected]; template=listmaster_notification; type=web_intern_error; action=Command process
Oct  6 08:27:04 lists-1 wwsympa[11355]: notice Sympa::Spool::Outgoing::store() Message Sympa::Message::Template <[email protected],7065/shelved:dkim_sign> is stored into bulk spool as <[email protected]_s,11355,2176>
Oct  6 08:27:04 lists-1 wwsympa[11355]: err main::#1563 > main::do_sso_login#3735 [robot lists.cam.ac.uk] [session 87111373342364] [client 221.7.44.98] Unknown authentication service 2on0943dg8uk.php

[dpc22]

This poking also broke logins to wwsympa using sso_login until I restarted it. wwsympa presented a half a dozen different login boxes instead of the two that you normally see at: https://lists.cam.ac.uk/sympa ("Login using Raven" (our SSO service) and "Login locally").

I'm rather alarmed that random poking can break logins: there would appear to be security implications. It looks like all login attempts using SSO were broken from 08:30 to 10:24 when I restarted wwsympa, about 400 legitimate logins attempts in total.

A legitimate login attempt while in this broken state generated the error below.

Oct  6 10:23:27 lists-1 wwsympa[11357]: info main::do_home() [robot lists.cam.ac.uk] [session 81985556773205] [client 82.10.153.210] 
Oct  6 10:23:31 lists-1 wwsympa[11358]: err main::#1260 > main::get_parameters#2153 [robot lists.cam.ac.uk] [client 82.10.153.210] Syntax error for parameter auth_service_name value "2on0943dg8uk.jsp�976402�actuator�duX9m2Lx�gcX3OMmS�sympa�ucam_federation" not conform to regexp:[\w\-\.]+
Oct  6 10:23:31 lists-1 wwsympa[11358]: info main::check_action_parameters() [robot lists.cam.ac.uk] [session 81985556773205] [client XXX.XXX.XXX.XXX] Missing parameter "auth_service_name"
Oct  6 10:23:31 lists-1 wwsympa[11358]: err main::#1548 [robot lists.cam.ac.uk] [session 81985556773205] [client 82.10.153.210] Missing required parameters for action "sso_login"

[dpc22]

One of my users helpfully provided a screenshot of the broken state, with the extra login buttons. I was cursing that I failed to take a screen shot earlier.

[dpc22]

curl -d "csrftoken=invalid&sso_login=invalid&auth_service_name=invalid&action_sso_login=invalid" -X POST https://.../sympa

generates an error message to listmaster

[ikedas]

@dpc22, can you please submit separate issue on the latter problem (broken sso_login attempts)?

[dpc22]

Will do, although I think that they are actually two different manifestations of the same problem.

[ikedas]

The PR above contains the fix for this issue (especially d067d9c). This will be included in the next beta.