Last modified: 2008-01-21 07:15:19 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 12655 - Cracker can get any user email address.
Cracker can get any user email address.
Product: Wikimedia
Classification: Unclassified
General/Unknown (Other open bugs)
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2008-01-16 19:01 UTC by sp5uhe (Paweł Zienowicz)
Modified: 2008-01-21 07:15 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Mail with recipient private address (2.03 KB, text/plain)
2008-01-16 19:01 UTC, sp5uhe (Paweł Zienowicz)

Description sp5uhe (Paweł Zienowicz) 2008-01-16 19:01:01 UTC
Created attachment 4551 [details]
Mail with recipient private address

When I sent mail using web interface and protected from unauthorized mail-sending system I was receive two emails. In one of this email (attached) I find recipient private email address!

It is security violation. Using script I can get all private emails from all projects.
Comment 1 Brion Vibber 2008-01-21 07:15:19 UTC
This is due to what is IMHO a rather bad practice in sSMTP, the minimal SMTP agent running on most of our newer web servers.

Some quick background: e-mail communication involves two distinct sender addresses. One is the "From:" header in the *message*, which is what the recipient sees in their mail client when reading it. The other is the "envelope sender", which is specified in the SMTP protocol from the sending server.

It's this "envelope sender" to which bounce messages are sent when delivery fails, and which is checked against the sending domain's authorization in SPF framework checks.

Normally when sending from the wiki (or a mailing list, etc), the envelope sender is specific to the application server involved in mailing, while the 'From' address belongs to the original user offsite. Hence everything looks pretty.

sSMTP's configuration allows you to *either* force the 'From' address to the machine user, *or* force the envelope sender to the 'From' address. Neither option is very nice for us.

r30014 adds config option $wgUserEmailUseReplyTo for the wiki; when set, the $wgEmergencyContact address (used as the sender for notification change emails) is used as the From, and the user's email is put into a Reply-To instead.

This looks less attractive, but keeps *replies* going back to the user and *bounces* going back to the machine.

Until we clean up our server config (maybe replacing sSMTP back to minimal postfix or something), we'll have that set on Wikimedia to protect against the SPF and bounce leakage problems.

Note You need to log in before you can comment on or make changes to this bug.