search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.85k stars 2.64k forks source link

exposing user name of the generator of a report sent by email in the "replying-to:" field of the email #19060

Open fneumeier opened 2 years ago

fneumeier commented 2 years ago

Matomo reports sent by email are exposing the username of the user generating the report through the "reply-to:" header field of the email. Though it's not a big issue, exposing the username which also serves as login name for this user should be considered as low security risk.

Expected Behavior

The email header of the report sent by email should not contain the "reply-to:" field at all, but if it does or has to for some reason, it should be configurable similar to noreply_email_address for the "from:" header field.

Current Behavior

Sending a report by email, Matomo adds the "reply-to:" header field, looking like this: reply-to: username <emailaddress@mydomain.com>

Possible Solution

As there is no need to reply to a report sent, this header field is not necessary anyway. The simplest solution would be to just not add this header field when sending reports at all. Alternatively: add options similar to noreply_email_address and noreply_email_name to configure what name and email address to add as "reply-to:" header.

Context

Temporary workaround: Don't send reports from the admin account, but choose a user with as-low-as-possible rights to send reports. This way, the username is still exposed, but security risk is lower than with the admin account.

Your Environment

MatomoForumNotifications commented 2 years ago

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/changing-the-email-address-name-reports-are-being-sent-from/45420/6

peterhashair commented 2 years ago

I believe that's a regression, maybe we should add to the next milestone since there is a low-security risk. I would recommend if there is no-reply header set, we hide part of the username. Like ma***d

justinvelluppillai commented 2 years ago

@peterhashair can you point at the PR you think this is a regression from?

sgiehl commented 2 years ago

That shouldn't be a regression. This code exists since 2017: https://github.com/matomo-org/matomo/blob/821734c769fb012fc2ee5994b56937988150bc0f/plugins/ScheduledReports/ScheduledReports.php#L368-L378