Description
Subscribed page email alerts currently place all of the subscribed email addresses into the To: field.
It becomes a simple exercise to harvest these emails by subscribing to a page and then modifying that page whilst not logged in. You are then notified by MoinMoin that a change was made to the page and can retrieve any harvested email addresses from the To: field.
Another problem arises if one of the subscriber's machines contracts a windows emailing virus. (assuming they have subscription alerts in their mail folders) The effect is that all subscribers may have their email addresses donated to a spam list or may have them become the target for viruses.
Details
All versions of MoinMoin tried are vulnerable.
Workaround
for MoinMoin Release 1.2.2 [Revision 1.185] (and probably others too) iterate over the to list and send a separate email for each recipient.
- for the lazy, copy and paste this sendmail function in place of your existing function in util/mail.py:
def sendmail(request, to, subject, text, **kw):
import smtplib, socket
from email.MIMEText import MIMEText
from email.Utils import formatdate
from MoinMoin import config
_ = request.getText
# should not happen, but who knows ...
if not config.mail_smarthost:
return (0, _('''This wiki is not enabled for mail processing. '''
'''Contact the owner of the wiki, who can either enable email, or remove the "Subscribe" icon.'''))
mail_from = kw.get('mail_from', config.mail_from) or config.mail_from
# Create a text/plain message
msg = MIMEText(text, 'plain', config.charset)
msg['From'] = mail_from
msg['To'] = mail_from
msg['Date'] = formatdate()
try: # only python >= 2.2.2 has this:
from email.Header import Header
from email.Utils import make_msgid
msg['Message-ID'] = make_msgid()
msg['Subject'] = Header(subject, config.charset)
except ImportError:
msg['Subject'] = subject # this is not standards compliant, but mostly works
# no message-id. if you still have py 2.2.1, you like it old and broken
try:
server = smtplib.SMTP(config.mail_smarthost)
try:
#server.set_debuglevel(1)
if config.mail_login:
user, pwd = config.mail_login.split()
server.login(user, pwd)
server.sendmail(mail_from, to, msg.as_string())
finally:
try:
server.quit()
except AttributeError:
# in case the connection failed, SMTP has no "sock" attribute
pass
except smtplib.SMTPException, e:
return (0, str(e))
except (os.error, socket.error), e:
return (0, _("Connection to mailserver '%(server)s' failed: %(reason)s") % {
'server': config.mail_smarthost,
'reason': str(e)
})
return (1, _("Mail sent OK"))Yes, there are more efficient ways to code this, but the above works -- SimonRyan
It only works if all mails send ok, if the first fails, it won't send the rest. An improved version will be in 1.2.4.
Discussion
Its a very small or non existing problem. You have to subscribe manually, then you have to subscribe to all pages in the wiki with a .+ regular expression, and finally, you have to use a robot that edit all the pages in the wiki. After all this trouble, you end with few email addresses of subscribes.
But I agree that there is no reason to send the addresses of other subscribes in a edit notification message. -- NirSoffer 2004-10-01 03:23:22
Agreed it is unlikely anyone would bother to automate this, but it is fairly easy to just pick one page that has many subscriptions. (I tried it on the MacroMarket page and was rewarded with 11 email addresses. -- Simon
The virus email harvesting is a more pressing issue however. By subscribing a previously unspammed email address to a MoinMoin wiki, I am inadvertantly exposing this email address since MoinMoin leaves it lying around in others inboxes. Most users would make the assumption that their email addresses remain undisclosed, and rightly so. -- SimonRyan
IHMO the main issue is if the users data is save in a MoinMoin wiki. The e-mail adress is an important and personal piece of data. I would set the priority to medium aka "fix in 1.2.4". -- FlorianFesti 2004-10-01 07:36:23
Changes need to be made to the sendmail() function in util/mail.py
Two strategies come to mind,
Iterate over the to list, sending a separate email to each
This seems to be the best solution, as emails that have no recipient tends to be filtered as spam. This can harm both the reader and worse the SoftSecurity of the wiki.
Send a mailing-list style of email with all recipients Bcc'ed
Thanks Thomas for fixing this. If you used my code, let me know and I'll re-write it properly. I'd break a few things out of the recipient loop such as the imports and the server instance. -- SimonRyan
- Well, although this would be a kind of optimization, the real problem is that sending many emails one after another takes quite some time, much more than those imports do. So if you want to work on it, try to figure out how to use bcc: in a sane way to send them more efficiently. In big wikis, a page could be subscribed by 1000 or more users...
- I found a way myself, just use to == from header address and use recipients in sendmail() call only. Tell me if it works.:)
Seems to work for me. A definite improvement. This now makes the email look like a mailing list. The only issues with this method is that some anti-spam systems will score it higher than an email with a matching To: field, but hey, that's life.
-- SimonRyan
Plan
Although it's a minor issue, its related to personal data of our users and to wiki SoftSecurity, and we have an easy fix. Changed priority to Medium. -- NirSoffer 2004-10-01 09:15:22
- Priority: Medium
Assigned to: ThomasWaldmann
- Status: fixed (in moin--main--1.2 and 1.2.4)