Page MenuHomePhabricator

Cracker can get any user email address.
Closed, ResolvedPublic

Description

Author: xarak

Description:
Mail with recipient private address

When I sent mail using web interface and protected from unauthorized mail-sending system I was receive two emails. In one of this email (attached) I find recipient private email address!

It is security violation. Using script I can get all private emails from all projects.


Version: unspecified
Severity: normal

Attached:

Details

Reference
bz12655

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:02 PM
bzimport set Reference to bz12655.
bzimport added a subscriber: Unknown Object (MLST).

This is due to what is IMHO a rather bad practice in sSMTP, the minimal SMTP agent running on most of our newer web servers.

Some quick background: e-mail communication involves two distinct sender addresses. One is the "From:" header in the *message*, which is what the recipient sees in their mail client when reading it. The other is the "envelope sender", which is specified in the SMTP protocol from the sending server.

It's this "envelope sender" to which bounce messages are sent when delivery fails, and which is checked against the sending domain's authorization in SPF framework checks.

Normally when sending from the wiki (or a mailing list, etc), the envelope sender is specific to the application server involved in mailing, while the 'From' address belongs to the original user offsite. Hence everything looks pretty.

sSMTP's configuration allows you to *either* force the 'From' address to the machine user, *or* force the envelope sender to the 'From' address. Neither option is very nice for us.

r30014 adds config option $wgUserEmailUseReplyTo for the wiki; when set, the $wgEmergencyContact address (used as the sender for notification change emails) is used as the From, and the user's email is put into a Reply-To instead.

This looks less attractive, but keeps *replies* going back to the user and *bounces* going back to the machine.

Until we clean up our server config (maybe replacing sSMTP back to minimal postfix or something), we'll have that set on Wikimedia to protect against the SPF and bounce leakage problems.