News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Password inSecurity n Email!!

Started by nitins60, September 05, 2007, 08:59:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

nitins60

September 05, 2007, 08:59:29 AM
I am using SMTP for sending emails of SMF (default function) as my host don't provide PHP mail support.

* use SMTP in admin area
* enable new user registration alert for admin
* in registration settings, disable Email Activation

now when new user register with wrong email address (not a valid one), administrator will get Email Sending Error report as a mail to his email address. In this email, you will see the SMTP email sending error and the email which is supposed to be send to recip!!

As SMF sends email to users with thier username and password, the administrator will get the username and password for wrong email address.

In terms of *Security*, it's a bit problem with SMF. It's not about Server Security, it's about Members Security. 

My suggestion is, don't send password to users in the Emails. Otherwise there must be another way to prevent it

Kindred

#1
September 05, 2007, 11:21:18 AM
This is not a bug....   It is an opinion on correctly working functionality and a request to change that functionality/feature.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

nitins60

#2
September 05, 2007, 01:45:20 PM
*may be :P
hopefully dev recognize it :)

SleePy

#3
September 05, 2007, 05:56:48 PM
It is not at all a bug.
This is done this way as you can leave the password blank on registration and one is automatically created for you randomly. So the user would need to know their password :P
I used to get those but I have set up my configuration to /dev/null all those mail returned unsuccessful sent to my main account and webmaster_email address in my SMF forums.
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Thantos

#4
September 05, 2007, 06:08:39 PM
I do agree that it is a security issue.  However, I believe that it falls under "acceptable risk".  Typically only one person is going to have access to those bounced emails and that person will generally be an admin who could change the user's password anyways.

nitins60

#5
September 05, 2007, 08:16:32 PM
@Thantos, however knowing password is something different from changing password. Ofcourse admins are going to have access :)

Smurfbutcher Bob

#6
September 05, 2007, 09:37:37 PM
Nitins,

The password hashes are trivially fetched by the admin. And from there, a lookup table would do the rest in mere moments.
Or, the admin can simply patch the login function in the php files with... one line of code, to note each user's password in the error logs as they pop in and/or register. No rainbows needed.

While I'd agree if the passwords were visible to anyone else (a moderator or whatnot), remember - you're dealing with the admin - and this person has full unfettered source access. There is *nothing* they cannot do.

Any attempt to deny or hide that fact is little more than "feel good" masturbation, and is grossly misleading to the users.  Forum passwords must be considered public, because the admin AND any successful attacker have full unfettered access to them at the source, "hash" or not. No exceptions. SMF is free to remove the functionality you describe... but I'm free to throw it right back in. And my SMF version will look exactly like yours - the users, who are told that SMF1.1.4 does NOT have that functionality, are screwed.

Or, users are told that the admin cannot be stopped from getting their passwords, so they should not re-use one that's used somewhere of merit.  That makes a little more sense, and is more correct.

Either way is fine, but the "security risk" argument is pure straw.
Print
Go Up Pages1
User actions
Advertisement: