Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Hacker" script poking at wwsympa sso_login generates lots of email to listmaster #1654

Closed
dpc22 opened this issue Apr 3, 2023 · 4 comments · Fixed by #1655
Closed

"Hacker" script poking at wwsympa sso_login generates lots of email to listmaster #1654

dpc22 opened this issue Apr 3, 2023 · 4 comments · Fixed by #1655
Assignees
@ikedas
Labels
bug

Comments

@dpc22
Copy link
Contributor

dpc22 commented Apr 3, 2023

Version

6.2.70

Installation method

My own RPM, derived from "offical" RHEL rpm

Expected behavior

wwsympa shouldn't generate notification emails to listmaster just because an unknown Web client submitted a HTTP GET or POST with invalid parameters: that is outside our control.

Actual behavior

I received about 120 messages of the form:

Subject: Listmaster: internal server error
Date: Mon, 3 Apr 2023 06:27:51 +0100
From: SYMPA <[email protected]>
To: Listmaster <[email protected]>

 User  has encountered an internal server error
(Web interface - ACTION: sso_login):

no_identified_user

See the logs for more details.

this morning. These seem to correspond to:

Apr 3 06:24:21 lists-1 wwsympa[18195]: err main::#1258 > main::get_parameters#2120 [robot lists.cam.ac.uk] [client 193.29.13.232] Syntax error for parameter list value "1');SELECT PG_SLEEP(5)--" not conform to regexp:[\w-.+]*

Apr 3 06:24:21 lists-1 wwsympa[18195]: info main::do_sso_login(ucam_federation) [robot lists.cam.ac.uk] [session 98056035778494] [client 193.29.13.232]

Apr 3 06:24:21 lists-1 wwsympa[18195]: err main::#1557 > main::do_sso_login#3597 [robot lists.cam.ac.uk] [session 98056035778494] [client 193.29.13.232] User could not be identified, no mail HTTP header set

Apr 3 06:24:21 lists-1 wwsympa[18195]: info main::do_home() [robot lists.cam.ac.uk] [session 98056035778494] [client 193.29.13.232]

("User could not be identified, no mail HTTP header set" seems to be significant. wwsympa logged about 5000 attempted SQL injection attacks, but only a small fraction generated emails).

Additional information

This is related to a ticket that I opened about 18 months back: #1244

While the denial of service attack element seems to have been fixed (that was definitely the more important aspect), it looks like people poking at sso_login can still generate emails to listmaster.
@dpc22 dpc22 added the bug label Apr 3, 2023
@ikedas ikedas self-assigned this Apr 3, 2023
ikedas added a commit to ikedas/sympa that referenced this issue Apr 6, 2023
@ikedas
WWSympa: Invalid input on sso_login form floods listmaster notificati…
6c2da52 
…on (sympa-community#1654)
@ikedas ikedas mentioned this issue Apr 6, 2023
Merged
@ikedas
Copy link
Member

ikedas commented Apr 6, 2023

Hi @dpc22,
Could you please check the PR above?

@dpc22
Copy link
Contributor Author

dpc22 commented Apr 11, 2023 

-          add_stash('intern', 'no_identified_user');
+         add_stash('user', 'no_identified_user');

certainly looks plausible if "intern" is the cause of the messages to listmaster. Thank you.

@ikedas
Copy link
Member

ikedas commented Apr 11, 2023

I agree. I don't think it's a good idea to send emergency notices to administrators via email.

@ikedas ikedas added the ready A PR is waiting to be merged. Close to be solved label Apr 11, 2023
@racke
Copy link
Contributor

racke commented Apr 11, 2023

Fail2ban or similar is the better tool to cope with incoming crap.

@ikedas ikedas removed the ready A PR is waiting to be merged. Close to be solved label Jun 2, 2023
ikedas added a commit that referenced this issue Jun 13, 2023
@ikedas
Merge pull request #1655 from ikedas/issue-1654 by ikedas
4589221 
WWSympa: Invalid input on sso_login form floods listmaster notification (#1654)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ikedas ikedas

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WWSympa: Invalid input on sso_login form floods listmaster notification (#1654) ikedas/sympa
3 participants
@racke @dpc22 @ikedas