Last modified: 2008-01-21 07:15:19 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T14655, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 12655 - Cracker can get any user email address.
Cracker can get any user email address.
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-16 19:01 UTC by sp5uhe (Paweł Zienowicz)
Modified: 2008-01-21 07:15 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Mail with recipient private address (2.03 KB, text/plain)
2008-01-16 19:01 UTC, sp5uhe (Paweł Zienowicz)
Details

Description sp5uhe (Paweł Zienowicz) 2008-01-16 19:01:01 UTC
Created attachment 4551 [details]
Mail with recipient private address

When I sent mail using web interface and protected from unauthorized mail-sending system I was receive two emails. In one of this email (attached) I find recipient private email address!

It is security violation. Using script I can get all private emails from all projects.
Comment 1 Brion Vibber 2008-01-21 07:15:19 UTC
This is due to what is IMHO a rather bad practice in sSMTP, the minimal SMTP agent running on most of our newer web servers.

Some quick background: e-mail communication involves two distinct sender addresses. One is the "From:" header in the *message*, which is what the recipient sees in their mail client when reading it. The other is the "envelope sender", which is specified in the SMTP protocol from the sending server.

It's this "envelope sender" to which bounce messages are sent when delivery fails, and which is checked against the sending domain's authorization in SPF framework checks.


Normally when sending from the wiki (or a mailing list, etc), the envelope sender is specific to the application server involved in mailing, while the 'From' address belongs to the original user offsite. Hence everything looks pretty.


sSMTP's configuration allows you to *either* force the 'From' address to the machine user, *or* force the envelope sender to the 'From' address. Neither option is very nice for us.


r30014 adds config option $wgUserEmailUseReplyTo for the wiki; when set, the $wgEmergencyContact address (used as the sender for notification change emails) is used as the From, and the user's email is put into a Reply-To instead.

This looks less attractive, but keeps *replies* going back to the user and *bounces* going back to the machine.

Until we clean up our server config (maybe replacing sSMTP back to minimal postfix or something), we'll have that set on Wikimedia to protect against the SPF and bounce leakage problems.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links