#129 Password recovery e-mail

[Anonymous]

The password recovery mechanism sends an e-mail to the requesting user in the file:

net/sourceforge/subsonic/controller/MultiController.java

http://sourceforge.net/p/subsonic/code/HEAD/tree/tags/release-5.0/subsonic-main/src/main/java/net/sourceforge/subsonic/controller/MultiController.java#l138

1. It uses a webservice at the URL "http://subsonic.org/backend/sendMail.view" which accepts requests from unauthenticated users to send out e-mail, allowing the use of your server as a relay for spam. Very bad idea.

2. Because of the use of this webservice, the passwords of local users get transferred in plaintext to your system, which I don't think is nice.

A safe way to handle this would be:

1. Let the user configure a SMTP relay that is used directly to send out e-mail.
2. Don't send passwords out in plaintext, send a passwort reset link with a unique session key for authentication.

[Anonymous]

I really think that this si a big issue. When I run a server, I would not want my software to do stuff like this.
I realize "forgot password" is a usability-enhancing feature, but when it is implemented as is, it would be better to turn it off by default.

I recommend three possibilities, each one less complicated to implement than its successor (may be implemented in different milestones):
1. add configuration option to enable "forgot password" feature, disabled by default. When enabled, the feature works as up to now (i.e., insecure mail proxy subsoniv.org, plaintext password).
2. instead, add configuration option to configure SMTP relay, defaults to empty (i.e., feature off). Password is still sent in plain text. [config variables: host, port, auth-method(plain/login/cram_md5), username, password, startssl, domain]
3. like 2., but instead of sending out a new PW in clear text, send a PW reset link (as already suggested).

SubSonic is great. Make it greater!

[Anonymous]

Please Sindre, for the love of God, it would be really appreciated if after almost three years this glaring security hole is finally dealt with. Not responding at all and just leaving it in an open status is really, really bad in my humble opinion.
I love Subsonic, but it is frustrating to see this behaviour like you don't care at all about the security of the users of your software. Point in case of another glaring security hole which would in one fell swoop make sending passwords via e-mail impossible if dealt with (as it should be): https://sourceforge.net/p/subsonic/bugs/141/.

1. Sending the password in plaintext via e-mail is a big no-no and should be changed to sending a password reset link, the only viable way to implement a password recovery strategy.
2. Sending the password via a subsonic.org relay is just plain ridiculous. Using http instead of https, especially in the days of Let's Encrypt who make it crazy simple to use SSL on your website, why oh why? That way, the e-mail is not only sent in plaintext, but the request to the relay is in plaintext too, making the risk the changed pasword leaks out even greater (unnecessarily increasing the attack surface): just horrendous!
3. Changing the password immediately when someone has hacked the database and knows the login names and/or e-mail addresses, or correctly guesses one of these, is of course another big oversight. Even if it is used not to hack but to harass people, it is bad enough by itself. It should only be changed after the receiver of the e-mail clicks the password reset link AND fills in a password twice in the web form (and submits the form of course).
4. It could be made even better by requiring people to fill in the login name AND the corresponding e-mail address before sending the mail.
5. The possibility to change the mail by clicking the link should expire after a short time, which should be configurable by the admin user. Requesting another mail for that user and/or e-mail address should only be possible after the latest mail times out.

When are you finally going to give Subsonic security the attention it desperately needs?

[Anonymous]