[Koha] [discussion] Privacy issue (bug 3280)

Paul paul.a at aandc.org
Mon Jul 9 07:43:37 NZST 2012


At 06:21 PM 7/8/2012 +0100, MJ Ray wrote:
>Ian Walls <koha.sekjal at gmail.com>
> > IP address is not sufficiently rigourous to identify and individual or even
> > a location (TOR network and all that).  It's routinely mis-used as such an
> > identifier.  I don't see any benefit to adding it to Koha's outgoing
> > emails, since it cannot be relied upon, and it could put people at risk of
> > ill-advised legal sanction.
> >
> > If there is a strong use case for it, it would need to go behind a syspref,
> > with the default value set to "disable".  But personally I don't think it's
> > worth including.
>
>I don't either.  IP addresses are usually registered to a person
>(including legal persons like companies) and/or a place (which is
>inexact because one of my Norfolk IP addresses is incorrectly thought
>to be in Somerset, while another is somewhere in Yorkshire...), so
>they're roughly like phone numbers.

Sorry to jump into this one a bit late ... but I do have a bit of 
background to security aspects (spammer abuse in particular) to various 
cgi, perl, php "sendmail" scripts; the bottom line is that there is 
intrinsically no way of making them fully functional and secure at the same 
time. And ... I've just discovered that our production Koha 3.6.1 is wide 
open to this type of exploit; without logging in as a user, I have just 
spammed 5 of _my_own_ addresses as a "proof of concept."  Thank goodness 
our users appear to be well behaved :=)

Some basic thoughts:

Hard code the To: address (or at the very least limit programmatically the 
To: to a single recipient [1].)  In Koha, each logged in user has a primary 
and a single secondary email -- a drop down box "Choose primary/secondary" 
would stop a spammer.  If a genuine user really wanted to send to a new 
address, modifying the secondary email is trivial (but too time consuming 
for a spammer who has much easier "targets" than a Koha system.)

Do not, under any circumstances, allow a user to enter Cc: or Bcc:

Deny, via regex, anything approaching URL format in the "Comments"

For the truly paranoid, rate-limiting to say 5 "send carts" per 24 hours 
would probably not offend genuine users.

As a "close the barn door after the horse has bolted" backup, add an 
X-Originating-IP: [xxx.xxx.xxx.xxx] taken from $ENV{'REMOTE_ADDR'} [or even 
$ENV{'REMOTE_HOST'}  which will be the same if no rDNS.]  If you're worried 
about privacy (and to the best of my knowledge this X-header has never been 
challenged under privacy laws, and is a de facto industry standard -- e.g. 
just have a look at any hotmail.com set of headers) the pop-up could say 
"You're logged in from xxx.xxx.xxx.xxx and this will be recorded in your 
email; do not click send if this concerns you."

Now, I'm off to close this loophole.

Best - Paul

[1] Example:

sub check_email {
     # Init local var
         $email_test = $email_add;
     # reject invalid syntax including multiples, but not type 
user@[255.255.255.0]
         if ($email_test =~ /(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)/ ||
     # or does not conform to basic syntax
         $email_test !~ /^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z0-9]+)(\]?)$/) {
         return 0;
     }

     else {
         return 1;
     }
}


>The Koha user_id is more identifying and more likely to be owned by
>the person triggering the email.  Having Koha send out an IP address
>in a cleartext email seems like a possible breach of privacy law in
>some situations, handing over what might be someone else's phone
>numbers... sorry, IP address numbers.
>
>The argument that people need to be able to tell IP addresses to
>terrorist lawmakers seems unrelated: that information can be logged on
>the server if wanted.  The email recipient and intermediate handlers
>do not need to know the requestor's IP address under the terror laws
>I've seen, only where they got it from.
>
>So, no IP address, but if you think you must, syspref default disabled.
>
>Regards,
>--
>MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op.
>http://koha-community.org supporter, web and library systems developer.
>In My Opinion Only: see http://mjr.towers.org.uk/email.html
>Available for hire (including development) at http://www.software.coop/
>_______________________________________________
>Koha mailing list  http://koha-community.org
>Koha at lists.katipo.co.nz
>http://lists.katipo.co.nz/mailman/listinfo/koha

---
Maritime heritage and history, preservation and conservation,
research and education through the written word and the arts.
<http://UltraMarine.ca>, <http://AandC.org> and <http://MarDoc.ca>



More information about the Koha mailing list