Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-60347

SMTP debugging can only provide verbose output (regardless of debugging output level)

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

       In master

      1. Check that the setting "debugsmtp" is no longer displayed in the ui under admin > development > debugging
      2. Set debug messages to "Developer"
      3. Set  $CFG->debugsmtp = true in your config.php file.
      4. Trigger an e-mail to be sent from moodle (forgot password process works) - and check to see that the smtp debug output is displayed.
      5. In admin > development > debugging set "debug messages" to a value lower than "Developer"
      6. Trigger an e-mail to be sent from Moodle and check to make sure the smtp debug is not displayed.

      In stable branches:

      1. Set "debugsmtp" to true in the ui under admin > development > debugging
      2. Set debug messages to "Developer"
      3. Trigger an e-mail to be sent from moodle (forgot password process works) - and check to see that the smtp debug output is displayed.
      4. In admin > development > debugging set "debug messages" to a value lower than "Developer" 
      5. Trigger an e-mail to be sent from Moodle and check to make sure the smtp debug is not displayed.

       

      Show
       In master Check that the setting "debugsmtp" is no longer displayed in the ui under admin > development > debugging Set debug messages to "Developer" Set  $CFG->debugsmtp = true in your config.php file. Trigger an e-mail to be sent from moodle (forgot password process works) - and check to see that the smtp debug output is displayed. In admin > development > debugging set "debug messages" to a value lower than "Developer" Trigger an e-mail to be sent from Moodle and check to make sure the smtp debug is not displayed. In stable branches: Set "debugsmtp" to true in the ui under admin > development > debugging Set debug messages to "Developer" Trigger an e-mail to be sent from moodle (forgot password process works) - and check to see that the smtp debug output is displayed. In admin > development > debugging set "debug messages" to a value lower than "Developer"  Trigger an e-mail to be sent from Moodle and check to make sure the smtp debug is not displayed.  
    • Affected Branches:
      MOODLE_33_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE
    • Fixed Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE

      Description

      Hi,

      While playing with the SMTP settings I found out that if the SMTP debugging is turned on, an unauthenticated attacker can navigate to /login/forgot_password.php and reset the password of a user as long as he knows the username or the email address: this is caused by the SMTP debug messages, that by default are displayed directly in the browser.

      Here's the debug output shown:

      2017-10-04 16:50:18 CLIENT -> SERVER: Hi Admin,

      2017-10-04 16:50:18 CLIENT -> SERVER:

      2017-10-04 16:50:18 CLIENT -> SERVER: A password reset was requested for your account 'user' at New Site.

      2017-10-04 16:50:18 CLIENT -> SERVER:

      2017-10-04 16:50:18 CLIENT -> SERVER: To confirm this request, and set a new password for your account, please

      2017-10-04 16:50:18 CLIENT -> SERVER: go to the following web address:

      2017-10-04 16:50:18 CLIENT -> SERVER:

      2017-10-04 16:50:18 CLIENT -> SERVER: http://192.168.1.35/login/forgot_password.php?token=adZ5CONp0mCNGRhytDl28cKFRhoiIXoJ

      2017-10-04 16:50:18 CLIENT -> SERVER: (This link is valid for 30 minutes from the time this reset was first 2017-10-04 16:50:18 CLIENT -> SERVER: requested)

      2017-10-04 16:50:18 CLIENT -> SERVER:

      This also allows the attackers to perform username and email enumeration, because if a request is sent for a non-existing username or email address, no debug output is shown, so that it's easy to try to figure out admin username/email address.

      I understand that the SMTP Debugging should be turned off most of the time, however I think the problem is with the default debug output settings that displays the output directly in the browser rather than appending it to a log file on the server(https://github.com/moodle/moodle/blob/master/lib/phpmailer/class.phpmailer.php#L345): with this configuration, an admin with a weak/easily discoverable username is only one click away from allowing everyone to reset his/her password. Changing the default debug output to the log file would make it more secure.

      The SMTP debugging could potentially be currently enabled on many sites, and an attacker could report email issues on purpose to a target organization in order to trick them to enable it for troubleshooting purposes.

      I'm using 'Serious' as a security level because no technical ability is required to exploit it and you don't even need to have an account on the site.

      Thanks,

      Antonio

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  8/Jul/19

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 8 minutes
                  1d 8m