Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9772

Under some circumstances, email addresses are shown to undesired users

    Details

      Description

      If "users send e-mail via board" is disabled (in email settings), all users can see email addresses (and even send email), even those who have the "send email" permission disabled.

      This can represent a security hole, because email addresses are shown even to guest users no matter how you set the permissions of the anonymous user.

      This is because the email icon is shown to everybody. This isn't a problem if email is performed through the board, because the permission violation is caught later. But, if it's not done through the board, all users can send email.

      The fix for this problem is explained in this thread:

      http://www.phpbb.com/community/viewtopic.php?f=71&t=2100748

        Activity

        Hide
        narqelion narqelion [X] (Inactive) added a comment -

        The reported behavior is not reproducible in a vanilla install. There has to be another factor in the OP's reported behavior. The following configuration with screen caps for each scenario is included below.
        Vanilla 3.0.7pl1
        Users send e-mail via board: Disabled
        http://www.dilligaff.org/images/phpbbbugs/settings.jpg
        Screen cap of viewtopic logged in:
        http://www.dilligaff.org/images/phpbbbugs/viewtopic_loggedin.jpg
        Screen cap of viewprofile logged in:
        http://www.dilligaff.org/images/phpbbbugs/viewprofile_loggedin.jpg
        Screen cap of viewtopic from guest:
        http://www.dilligaff.org/images/phpbbbugs/viewtopic_guest.jpg
        Screen cap of viewprofile from guest:
        http://www.dilligaff.org/images/phpbbbugs/viewprofile_guest.jpg

        Show
        narqelion narqelion [X] (Inactive) added a comment - The reported behavior is not reproducible in a vanilla install. There has to be another factor in the OP's reported behavior. The following configuration with screen caps for each scenario is included below. Vanilla 3.0.7pl1 Users send e-mail via board: Disabled http://www.dilligaff.org/images/phpbbbugs/settings.jpg Screen cap of viewtopic logged in: http://www.dilligaff.org/images/phpbbbugs/viewtopic_loggedin.jpg Screen cap of viewprofile logged in: http://www.dilligaff.org/images/phpbbbugs/viewprofile_loggedin.jpg Screen cap of viewtopic from guest: http://www.dilligaff.org/images/phpbbbugs/viewtopic_guest.jpg Screen cap of viewprofile from guest: http://www.dilligaff.org/images/phpbbbugs/viewprofile_guest.jpg
        Hide
        stevemaury stevemaury added a comment -

        I guess my question is, if the default behavior is as narqelion says, where in the code is the provision for not displaying the email icon to users not logged in?

        Show
        stevemaury stevemaury added a comment - I guess my question is, if the default behavior is as narqelion says, where in the code is the provision for not displaying the email icon to users not logged in?
        Hide
        A_Jelly_Doughnut A_Jelly_Doughnut added a comment -

        Steve:

        ($config['board_hide_emails'] && !$auth->acl_get('a_email') ? '' :


        Just one fragment of line 1151 of viewtopic.php. That is, only administrators will ever see the mailto: link. You'll find similar code in memberlist.php.

        Show
        A_Jelly_Doughnut A_Jelly_Doughnut added a comment - Steve: ($config['board_hide_emails'] && !$auth->acl_get('a_email') ? '' : Just one fragment of line 1151 of viewtopic.php. That is, only administrators will ever see the mailto: link. You'll find similar code in memberlist.php.
        Hide
        narqelion narqelion [X] (Inactive) added a comment -

        That is, only administrators will ever see the mailto: link. You'll find similar code in memberlist.php.

        Exactly, I setup a test board to illustrate that for him tonight but he hasn't accessed it yet. There is some inconsistency in what admin permissions are needed to see the email icon, for instance the 'can manage users' permission gives you the link in viewprofile but not viewtopic oddly enough. I discovered this whole convoluted use case mix while troubleshooting a support topic over a year ago, this one to be exact. http://www.phpbb.com/community/viewtopic.php?p=9821105#p9821105

        As as result of that topic I went through and documented every possible use case for sending email and the resulting workflow needed to achieve the desired result. While the OP's issue is not a bug since it is behaving exactly as it is coded to behave, the behavior is inconsistent between the two methods of sending email and I believe there is an opportunity to improve it so users can achieve the same result in who can send emails regardless of whether they are using the board to send emails or allowing direct emails. I really think you should reopen this ticket change it to type=Improvement and work out the discrepancies in behavior. Currently the permission 'can send emails' only controls the ability to email (regular)user to user if $config['board_email_form'] is 1, it has no effect if $config['board_email_form'] is 0 in which case it (it being emailing user -> user) is then controlled instead by 'hide e-mail addresses', which IMO it should not be.

        Here's my list of behaviors I expected to see but didn't:

        Email icon should not display anywhere if you do not have permission to send emails
        Permission setting should control ability to send emails regardless of email config values
        If you have admin permission to view "hidden" email addresses that permission should display them in every view

        *All the above comments assume that 'Users can contact me by e-mail: is Yes' since that variable also determines visibility of the email icon/link under both configurations.

        Show
        narqelion narqelion [X] (Inactive) added a comment - That is, only administrators will ever see the mailto: link. You'll find similar code in memberlist.php. Exactly, I setup a test board to illustrate that for him tonight but he hasn't accessed it yet. There is some inconsistency in what admin permissions are needed to see the email icon, for instance the 'can manage users' permission gives you the link in viewprofile but not viewtopic oddly enough. I discovered this whole convoluted use case mix while troubleshooting a support topic over a year ago, this one to be exact. http://www.phpbb.com/community/viewtopic.php?p=9821105#p9821105 As as result of that topic I went through and documented every possible use case for sending email and the resulting workflow needed to achieve the desired result. While the OP's issue is not a bug since it is behaving exactly as it is coded to behave, the behavior is inconsistent between the two methods of sending email and I believe there is an opportunity to improve it so users can achieve the same result in who can send emails regardless of whether they are using the board to send emails or allowing direct emails. I really think you should reopen this ticket change it to type=Improvement and work out the discrepancies in behavior. Currently the permission 'can send emails' only controls the ability to email (regular)user to user if $config ['board_email_form'] is 1, it has no effect if $config ['board_email_form'] is 0 in which case it (it being emailing user -> user) is then controlled instead by 'hide e-mail addresses', which IMO it should not be. Here's my list of behaviors I expected to see but didn't: Email icon should not display anywhere if you do not have permission to send emails Permission setting should control ability to send emails regardless of email config values If you have admin permission to view "hidden" email addresses that permission should display them in every view *All the above comments assume that 'Users can contact me by e-mail: is Yes' since that variable also determines visibility of the email icon/link under both configurations.
        Hide
        A_Jelly_Doughnut A_Jelly_Doughnut added a comment -

        Please place that information in its own bug report.

        Show
        A_Jelly_Doughnut A_Jelly_Doughnut added a comment - Please place that information in its own bug report.
        Hide
        outofsync outofsync [X] (Inactive) added a comment -

        You're right. There's one more step needed to reproduce my problem: You also need to set "hide email adresses" to "No" in "Email settings".

        Did that on a vanilla 3.0.7-PL install, and now the anonymous user can send email to every user who has enabled the "users can contact via email" setting. Moreover, not only guests, but now every user who (in theory) has no permission to send email, can send emails.

        As I said, I think it's a security hole, because just imagine this scenario: there can be a board in which users enjoy to share their email addresses as "mailto" links, but... if you enable that... everybody in the world will see their email addresses.

        Show
        outofsync outofsync [X] (Inactive) added a comment - You're right. There's one more step needed to reproduce my problem: You also need to set "hide email adresses" to "No" in "Email settings". Did that on a vanilla 3.0.7-PL install, and now the anonymous user can send email to every user who has enabled the "users can contact via email" setting. Moreover, not only guests, but now every user who (in theory) has no permission to send email, can send emails. As I said, I think it's a security hole, because just imagine this scenario: there can be a board in which users enjoy to share their email addresses as "mailto" links, but... if you enable that... everybody in the world will see their email addresses.
        Hide
        A_Jelly_Doughnut A_Jelly_Doughnut added a comment -

        Yes, that does make the behavior reproduce.

        Show
        A_Jelly_Doughnut A_Jelly_Doughnut added a comment - Yes, that does make the behavior reproduce.
        Hide
        narqelion narqelion [X] (Inactive) added a comment -

        You're right. There's one more step needed to reproduce my problem: You also need to set "hide email adresses" to "No" in "Email settings".

        Yes I am aware however as it was explained to me last year to do that means you are doing it the "wrong way" I did not agree then as I do not now. The behavior you describe is the expected result if you do not send emails via the board and do not hide email addresses in the config settings because that it how it was coded to behave. Basically what I was told is that if you want to allow your users to email each other and still protect their email addresses you must send emails via the board. Your situation is an issue because you are trying to use the board email function in a use case it was not designed to handle. I totally agree that it should be changed for the better although I don't agree it is a security hole for two reasons, 1)The developers have known exactly how it behaved (as intended) for at least 4 years and 2) You can easily "plug" the security hole by toggling the hide email addresses setting or switching to sending emails via the board, in essence prevent a potential exploit (such as email harvesting) by configuring the software "properly." I find it more of an undesirable behavior than a security flaw.

        Here is a link to the initial position on intended behavior that I found while researching it last year:
        http://tracker.phpbb.com/browse/PHPBB3-897

        For some perspective here are some other older tickets that touched on the same behavior:
        In this one the reporter experienced the opposite result in that they could not figure out at first why the email icons were not displaying, http://tracker.phpbb.com/browse/PHPBB3-7326
        And this one which was never resolved had the same issue, did not realize that hiding the email addresses hid them from everyone but admins. http://tracker.phpbb.com/browse/PHPBB3-8830 There are other tickets as well but they are similar in nature regarding the confusion over behavior when not using the board to send emails.

        Show
        narqelion narqelion [X] (Inactive) added a comment - You're right. There's one more step needed to reproduce my problem: You also need to set "hide email adresses" to "No" in "Email settings". Yes I am aware however as it was explained to me last year to do that means you are doing it the "wrong way" I did not agree then as I do not now. The behavior you describe is the expected result if you do not send emails via the board and do not hide email addresses in the config settings because that it how it was coded to behave. Basically what I was told is that if you want to allow your users to email each other and still protect their email addresses you must send emails via the board. Your situation is an issue because you are trying to use the board email function in a use case it was not designed to handle. I totally agree that it should be changed for the better although I don't agree it is a security hole for two reasons, 1)The developers have known exactly how it behaved (as intended) for at least 4 years and 2) You can easily "plug" the security hole by toggling the hide email addresses setting or switching to sending emails via the board, in essence prevent a potential exploit (such as email harvesting) by configuring the software "properly." I find it more of an undesirable behavior than a security flaw. Here is a link to the initial position on intended behavior that I found while researching it last year: http://tracker.phpbb.com/browse/PHPBB3-897 For some perspective here are some other older tickets that touched on the same behavior: In this one the reporter experienced the opposite result in that they could not figure out at first why the email icons were not displaying, http://tracker.phpbb.com/browse/PHPBB3-7326 And this one which was never resolved had the same issue, did not realize that hiding the email addresses hid them from everyone but admins. http://tracker.phpbb.com/browse/PHPBB3-8830 There are other tickets as well but they are similar in nature regarding the confusion over behavior when not using the board to send emails.
        Hide
        outofsync outofsync [X] (Inactive) added a comment -

        I understand that sending emails through the board adds security. However, there're boards where the typical user has little computer experience, and what they want is just share their email address. Of course this could be done with a custom profile field for showing the email, but then users would need to type their email address three times when registering (one for account creation, another for confirmation, and another for the "email custom profile field").

        Also, consider that for this type of users with little computer experience, the board-sent mails can be confusing, as the "From" field is set as the board rather than the user (there's a ticket asking to change this, because some webmail servers ignore the "Reply to" field, and replies are sent to the administrator address -I experienced this undesired behaviour myself, and it was the concluding reason that finally convinced me that board-sent emails would be a nightmare in such kind of board where a lot of people are new to computers).

        I would enable board-sent emails if the message, when received, had absolutely no difference to if it had been sent from a usual email application.

        Show
        outofsync outofsync [X] (Inactive) added a comment - I understand that sending emails through the board adds security. However, there're boards where the typical user has little computer experience, and what they want is just share their email address. Of course this could be done with a custom profile field for showing the email, but then users would need to type their email address three times when registering (one for account creation, another for confirmation, and another for the "email custom profile field"). Also, consider that for this type of users with little computer experience, the board-sent mails can be confusing, as the "From" field is set as the board rather than the user (there's a ticket asking to change this, because some webmail servers ignore the "Reply to" field, and replies are sent to the administrator address -I experienced this undesired behaviour myself, and it was the concluding reason that finally convinced me that board-sent emails would be a nightmare in such kind of board where a lot of people are new to computers). I would enable board-sent emails if the message, when received, had absolutely no difference to if it had been sent from a usual email application.

          People

          • Assignee:
            A_Jelly_Doughnut A_Jelly_Doughnut
            Reporter:
            outofsync outofsync [X] (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development