Hi,
While playing with the SMTP settings I found out that if the SMTP debugging is turned on, an unauthenticated attacker can navigate to /login/forgot_password.php and reset the password of a user as long as he knows the username or the email address: this is caused by the SMTP debug messages, that by default are displayed directly in the browser.
Here's the debug output shown:
2017-10-04 16:50:18 CLIENT -> SERVER: Hi Admin,
2017-10-04 16:50:18 CLIENT -> SERVER:
2017-10-04 16:50:18 CLIENT -> SERVER: A password reset was requested for your account 'user' at New Site.
2017-10-04 16:50:18 CLIENT -> SERVER:
2017-10-04 16:50:18 CLIENT -> SERVER: To confirm this request, and set a new password for your account, please
2017-10-04 16:50:18 CLIENT -> SERVER: go to the following web address:
2017-10-04 16:50:18 CLIENT -> SERVER:
2017-10-04 16:50:18 CLIENT -> SERVER: http://192.168.1.35/login/forgot_password.php?token=adZ5CONp0mCNGRhytDl28cKFRhoiIXoJ
2017-10-04 16:50:18 CLIENT -> SERVER: (This link is valid for 30 minutes from the time this reset was first 2017-10-04 16:50:18 CLIENT -> SERVER: requested)
2017-10-04 16:50:18 CLIENT -> SERVER:
This also allows the attackers to perform username and email enumeration, because if a request is sent for a non-existing username or email address, no debug output is shown, so that it's easy to try to figure out admin username/email address.
I understand that the SMTP Debugging should be turned off most of the time, however I think the problem is with the default debug output settings that displays the output directly in the browser rather than appending it to a log file on the server(https://github.com/moodle/moodle/blob/master/lib/phpmailer/class.phpmailer.php#L345): with this configuration, an admin with a weak/easily discoverable username is only one click away from allowing everyone to reset his/her password. Changing the default debug output to the log file would make it more secure.
The SMTP debugging could potentially be currently enabled on many sites, and an attacker could report email issues on purpose to a target organization in order to trick them to enable it for troubleshooting purposes.
I'm using 'Serious' as a security level because no technical ability is required to exploit it and you don't even need to have an account on the site.
Thanks,
Antonio
- caused a regression
-
MDL-66169 Undefined property notice for $debugsmtp on outgoing mail config test page
- Closed