Password recovery e-mail
Brought to you by:
sindre_mehus
The password recovery mechanism sends an e-mail to the requesting user in the file:
net/sourceforge/subsonic/controller/MultiController.java
It uses a webservice at the URL "http://subsonic.org/backend/sendMail.view" which accepts requests from unauthenticated users to send out e-mail, allowing the use of your server as a relay for spam. Very bad idea.
Because of the use of this webservice, the passwords of local users get transferred in plaintext to your system, which I don't think is nice.
A safe way to handle this would be:
Anonymous
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
I really think that this si a big issue. When I run a server, I would not want my software to do stuff like this.
I realize "forgot password" is a usability-enhancing feature, but when it is implemented as is, it would be better to turn it off by default.
I recommend three possibilities, each one less complicated to implement than its successor (may be implemented in different milestones):
1. add configuration option to enable "forgot password" feature, disabled by default. When enabled, the feature works as up to now (i.e., insecure mail proxy subsoniv.org, plaintext password).
2. instead, add configuration option to configure SMTP relay, defaults to empty (i.e., feature off). Password is still sent in plain text. [config variables: host, port, auth-method(plain/login/cram_md5), username, password, startssl, domain]
3. like 2., but instead of sending out a new PW in clear text, send a PW reset link (as already suggested).
SubSonic is great. Make it greater!
View and moderate all "bugs Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs"
Please Sindre, for the love of God, it would be really appreciated if after almost three years this glaring security hole is finally dealt with. Not responding at all and just leaving it in an open status is really, really bad in my humble opinion.
I love Subsonic, but it is frustrating to see this behaviour like you don't care at all about the security of the users of your software. Point in case of another glaring security hole which would in one fell swoop make sending passwords via e-mail impossible if dealt with (as it should be): https://sourceforge.net/p/subsonic/bugs/141/.
When are you finally going to give Subsonic security the attention it desperately needs?
Last edit: Anonymous 2018-04-27