Closed Bug 689138 Opened 14 years ago Closed 12 years ago

Mozillians sends e-mail to destination server directly from webserver host

Categories

(Participation Infrastructure :: Phonebook, defect, P2)

Product:
Participation Infrastructure
Component:
Phonebook
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED WONTFIX

People

(Reporter: mgoodwin, Assigned: williamr)

References

(
URL
)

Details

(Keywords: sec-moderate, Whiteboard: [infrasec:bestpractice] [ws:moderate])

Attachments

(1 file)

Email Header Screenshot From Stage
88.28 KB, image/png
Details
This bug is more for discussion than anything else. Issue: Mozillians sends e-mails (e.g. for the 'invite' functionality). These e-mails are sent directly from the webserver serving the users' requests rather than going via an MTA dedicated to the task of processing mail for external recipients. The issue with this is that it allows an attacker to use system generated e-mail as a network discovery tool. Steps to reproduce: 1) log in to mozillians using a vouched account 2) click on 'Invite' 3) enter an (invalid) e-mail address in the address field 4) click 'send invite' 5) look at the e-mail address you used to register your mozillians account 6) Observe the internal host information included in the e-mail Recommended remediation: This is left open for discussion; I realise we do this in other places so fixing this might not be the best course of action. I've created this bug as a starting point for discussion between the infra and security teams.
I think it depends on what settings are set in the Django config file? Unless I am mistaken, those can handle SMTP credentials, which would allow it to use a smarthost.
We usually send through an MTA, in this case we should send through mxout-generic.mozilla.org but still, the header would show the originating host.
Priority: -- → P2
Target Milestone: --- → 1.1
This isn't hitting the 1.1 release as we're code frozen. Moving this to 1.2.
Target Milestone: 1.1 → 1.2
Assignee: nobody → tofumatt
Uh, from comment 2, this might not even be an issue, but we should double check.
Taking this out of release scheduling until its determined this is an issue.
Target Milestone: 1.2 → ---
Group: mozilla-corporation-confidential
Component: mozillians.org → Phonebook
Product: Websites → Community Tools
QA Contact: mozillians-org → phonebook
Version: unspecified → other
Assignee: tofumatt → nobody
Triaging... Can we identify if we need to fix something or if this is a non-issue.. attached is a screenshot of the email headers from mozillians. I poked around and the bedrock email (from contribute) look similar. So if we need to fix something on mozillians its likely we have to fix elsewhere.
Flags: needinfo?(curtisk)
Whether or not this is fixed is ultimately a decision point for you all. We wanted to raise the issue as a discussion point. As noted in comment 0 we do this in other places. If used this would not be a direct attack but would be used to gather more information to possibly make a different attack possible. That said mgoodwin might have more to say on this
Flags: needinfo?(curtisk) → needinfo?(mgoodwin)
Mark, do you anything else to add? Is this something we need to fix or is this a non-issue? It seems like the decision should be made by the infra and security teams, although let me know if our project team should decide. Thanks!
I think it's a low risk issue; we most likely have bigger fish to fry. Feel free to close it out.
Flags: needinfo?(mgoodwin)
Assignee: nobody → williamr
Closing this bug based on comment #10. Thanks for the input everyone ;)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
QA verified wontfix
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: