@fneumeier opened this Issue on April 7th 2022

Matomo reports sent by email are exposing the username of the user generating the report through the "reply-to:" header field of the email. Though it's not a big issue, exposing the username which also serves as login name for this user should be considered as low security risk.

Expected Behavior

The email header of the report sent by email should not contain the "reply-to:" field at all, but if it does or has to for some reason, it should be configurable similar to noreply_email_address for the "from:" header field.

Current Behavior

Sending a report by email, Matomo adds the "reply-to:" header field, looking like this:
reply-to: username <emailaddress<a class='mention' href='https://github.com/mydomain'>@mydomain</a>.com>

Possible Solution

As there is no need to reply to a report sent, this header field is not necessary anyway. The simplest solution would be to just not add this header field when sending reports at all.
Alternatively: add options similar to noreply_email_address and noreply_email_name to configure what name and email address to add as "reply-to:" header.

Context

Temporary workaround: Don't send reports from the admin account, but choose a user with as-low-as-possible rights to send reports. This way, the username is still exposed, but security risk is lower than with the admin account.

Your Environment

  • Matomo Version: 4.8.0
  • PHP Version: 7.3.33
@MatomoForumNotifications commented on April 7th 2022

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/changing-the-email-address-name-reports-are-being-sent-from/45420/6

@peterhashair commented on April 12th 2022 Contributor

I believe that's a regression, maybe we should add to the next milestone since there is a low-security risk. I would recommend if there is no-reply header set, we hide part of the username. Like ma***d

@justinvelluppillai commented on April 12th 2022 Contributor

@peterhashair can you point at the PR you think this is a regression from?

@sgiehl commented on April 12th 2022 Member
Powered by GitHub Issue Mirror