Invalid POST data breaks sso_login for all legitimate users of the system

[dpc22]

Version

6.2.66

Installation method

My own rpms, derived from official RHEL rpms

Expected behavior

Rogue actors should not be able to break sso_login for legitimate users of a Sympa system

Actual behavior

Legitimate users are unable to login using SSO following:

curl -d "csrftoken=invalid&sso_login=invalid&auth_service_name=invalid&action_sso_login=invalid" -X POST https://.../sympa

("Local" logins still work).

Additional information

Each new "auth_service_name=invalid" adds a new login button to Sympa:

caused by the following HTML:

</span><input type="hidden" name="auth_service_name" value="invalid^@ucam_federation" />
 <span>
       <button type="submit" name="action_sso_login" value="">
        <i class="fa fa-user"></i>
                                
         </button>
</span><input type="hidden" name="auth_service_name" value="invalid2" />
 <span>
 <button type="submit" name="action_sso_login" value="">
     <i class="fa fa-user"></i>
                                
      </button>
</span><input type="hidden" name="auth_service_name" value="invalid3" />

A legitimate login attempt while in this broken state fails:

Oct  6 10:23:27 lists-1 wwsympa[11357]: info main::do_home() [robot lists.cam.ac.uk] [session 81985556773205] [client 82.10.153.210] 
Oct  6 10:23:31 lists-1 wwsympa[11358]: err main::#1260 > main::get_parameters#2153 [robot lists.cam.ac.uk] [client 82.10.153.210] Syntax error for parameter auth_service_name value "2on0943dg8uk.jsp�976402�actuator�duX9m2Lx�gcX3OMmS�sympa�ucam_federation" not conform to regexp:[\w\-\.]+
Oct  6 10:23:31 lists-1 wwsympa[11358]: info main::check_action_parameters() [robot lists.cam.ac.uk] [session 81985556773205] [client XXX.XXX.XXX.XXX] Missing parameter "auth_service_name"
Oct  6 10:23:31 lists-1 wwsympa[11358]: err main::#1548 [robot lists.cam.ac.uk] [session 81985556773205] [client 82.10.153.210] Missing required parameters for action "sso_login"

I infer that Sympa is confused by the additional <input> tags.

[dpc22]

Our /etc/sympa/auth.conf is:

user_table
        regexp                 .*

generic_sso
    service_name                Login using Raven
    service_id                  ucam_federation
    http_header_list            mail,displayName,eduPersonAffiliation
    email_http_header           mail
    netid_http_header           REMOTE_USER
    internal_email_by_netid     1
    force_email_verify          1

[ikedas]

@dpc22, I couldn't understand why extra login buttons appeared. If possible, could you please explain?

[dpc22]

I infer that long running wwsympa.fcgi processes get confused by the invalid input, and start to add authentication services to an array somewhere, which is then used when the login page is rendered.

I think that you will be able to replicate the effect by using the auth.conf that I list above (you don't actually need to configure a SSO service) and then run:

curl -d "csrftoken=invalid&sso_login=invalid&auth_service_name=invalid&action_sso_login=invalid" -X POST https://.../sympa

You might need to specify:

Environment="FCGI_CHILDREN=1" (/usr/bin/spawn-fcgi -F $FCGI_CHILDREN)

to make sure that you are looking at the same wwsympa.fcgi that is poked by curl.

[dpc22]

A bit of trial and error reveals that the problem array/hash is $param->{sso}. If I log the content of that hash in wwsympa.pl using Data::Dumper:

   foreach my $auth (keys %{$Conf::Conf{'generic_sso_id'}{$robot}}) {
        $log->syslog('debug', 'Generic SSO authentication service %s', $auth);
        $param->{'sso'}{$auth} =
            $Conf::Conf{'auth_services'}{$robot}
            [$Conf::Conf{'generic_sso_id'}{$robot}{$auth}]{'service_name'};
    }
    use Data::Dumper;
    $log->syslog('notice', Dumper($param->{'sso'}));

and run:

curl -d "csrftoken=invalid&sso_login=invalid&auth_service_name=invalid1&action_sso_login=invalid" -X POST https://.../sympa
curl -d "csrftoken=invalid&sso_login=invalid&auth_service_name=invalid2&action_sso_login=invalid" -X POST https://.../sympa
curl -d "csrftoken=invalid&sso_login=invalid&auth_service_name=invalid3&action_sso_login=invalid" -X POST https://.../sympa

I see the following in my logs the next time that I try to view the login page in a browser:

Oct 13 09:46:41 lists-2 wwsympa[14379]: notice main:: $VAR1 = {
          'ucam_federation' => 'Login using Raven',
          'invalid2' => undef,
          'invalid3' => undef,
          'invalid1' => undef
        };

[dpc22]

I think that we just need to reset that value for each new HTTP request which wwsympa.pl processes?

[dpc22]

The following fixes the problem for me:

--- ./src/cgi/wwsympa.fcgi.in-DIST      2021-10-13 10:20:05.277975733 +0100
+++ ./src/cgi/wwsympa.fcgi.in   2021-10-13 10:20:48.867901187 +0100
@@ -1190,6 +1190,7 @@
     $param->{'conf'}{'use_blacklist'} =
         Conf::get_robot_conf($robot, 'use_blocklist');
 
+    $param->{'sso'} = {};
     foreach my $auth (keys %{$Conf::Conf{'cas_id'}{$robot}}) {
         $log->syslog('debug2', 'CAS authentication service %s', $auth);
         $param->{'sso'}{$auth} =

(corrected as there are two separate loops which populate $param->{'sso'}

[ikedas]

@dpc22 , could you please apply this patch to check if the problem will be solved?

[dpc22]

Okay, that seems to have done the trick. Thanks!