Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing SMTP connection might result in information disclosure in password recovery #17091

Closed
sgiehl opened this issue Jan 14, 2021 · 9 comments
Closed

Failing SMTP connection might result in information disclosure in password recovery #17091

sgiehl opened this issue Jan 14, 2021 · 9 comments
Assignees
@geekdenz
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Milestone
4.5.0

Comments

@sgiehl
Copy link
Member

sgiehl commented Jan 14, 2021

When the SMTP connection is not set up correctly, or failing due to other reasons like #17026, requesting for password recovery currently displays the full error message returned from the SMTP server. This could for example include the sender mail address or the login.
As the password recovery is public available we should consider not showing the full error message in this case.
@sgiehl sgiehl added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Jan 14, 2021
@tsteur
Copy link
Member

tsteur commented Jan 14, 2021

I suppose in many cases the login be the same as the sender and the sender is kind of maybe guessable? Nonetheless could be replaced maybe automatically by catching exception and throwing it again?

@sgiehl
Copy link
Member Author

sgiehl commented Jan 15, 2021

@tsteur Yes, exactly. Should be enough to do that for the password recovery only I guess, as that error message might be public visible

@tsteur tsteur added this to the 4.4.0 milestone Jan 17, 2021
@tsteur tsteur added the Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. label Jul 27, 2021
geekdenz pushed a commit that referenced this issue Aug 17, 2021
log password reset email errors to log and do not reveal to user
371cce5 
fixes #17091
@geekdenz geekdenz mentioned this issue Aug 17, 2021
Closed
11 tasks
geekdenz pushed a commit that referenced this issue Aug 17, 2021
log password reset email errors to log and do not reveal to user
0513ae5 
fixes #17091
@justinvelluppillai justinvelluppillai modified the milestones: 4.7.0, 4.5.0 Aug 19, 2021
@geekdenz
Copy link
Contributor

Looks like this is already fixed:

image

@sgiehl
Copy link
Member Author

sgiehl commented Aug 20, 2021

It might be possible that PHPMailer changed the code to no longer return the full SMTP error message. Nevertheless in the password recovery we maybe shouldn't reveal any error details as it might be public. Might be better so show something unspecific like An unexpected error occurred while sending the recovery mail. Please try again or contact the administrator if this error remains.

@tsteur
Copy link
Member

tsteur commented Aug 22, 2021

@sgiehl would there be much of a benefit? It might then be quite hard for users to troubleshoot where the problem is. I would have probably suggested the opposite to add maybe a sentence like "Please ask a Matomo administrator to check the configured Mail credentials in Matomo -> Administration -> General Settings".

@sgiehl
Copy link
Member Author

sgiehl commented Aug 23, 2021

@tsteur It's just important we replace the message coming from PHPMailer as it might contain any information we might not want to disclose in password recovery.

@geekdenz
Copy link
Contributor

Decision:

In conversation with @tsteur and @justinvelluppillai we resolved this by intending to create an FAQ.

Now, the question is, should it be on one of these pages?

  1. https://matomo.org/faq/how-to/faq_93/
  2. https://matomo.org/faq/troubleshooting/faq_34856/
  3. A new page which is linked to from 1. or 2.?

I think it should be 3., but 2. would get them there in one click with the current Google search for example:

https://www.google.com/search?client=firefox-b-d&q=smtp+error+could+not+authenticate+matomo

We checked the PHPMailer code and it throws a generic Exception for all errors, errors are translated, so even doing a substring match would be error prone. A bit unusual for such a high-profile project such as PHPMailer.

So, in short, the best solution we figured is to create an FAQ which users/admins would find easily with a search engine.

The original issue had already been resolved previously and we know no authentication configuration is leaked.

@tsteur
Copy link
Member

tsteur commented Aug 24, 2021

I would create a new FAQ in the troubleshooting category like How do I fix the error "SMPT Error... exact error message...".

We could link to this new FAQ in https://matomo.org/faq/troubleshooting/faq_34856/ also.

@tsteur tsteur closed this as completed Aug 28, 2021
@tsteur
Copy link
Member

tsteur commented Aug 28, 2021

Changing library to PHPMailer already fixed this and we created FAQ for the error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@geekdenz geekdenz

Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Projects
None yet
Milestone
4.5.0
Development

Successfully merging a pull request may close this issue.

log password reset email errors to log and do not reveal to user matomo-org/matomo
4 participants
@tsteur @geekdenz @justinvelluppillai @sgiehl