In the definition of the function SmtpConnect() , if Connect() is succesful $connection is true at the end, even if authentication failed. One may think that, because there is a connection, we want it to be true. Actually, we don't becauise, if at the beginning of the function SmtpSend() the value of $this->SmtpConnect() is true, the remainder of the function is executed : the value of $smtp_from is checked, etc. This is a security risk. If we are lucky, the failed authentication will be reported as a failed From address, but we shouldn't rely on that.

In the fonctiion SmtpConnect() , I suggest to move the assignement $connection = true before every thing else inside the body of the if($this->SMTPAuth) statement and also add an else section to that if statement and copy again $connection = true in there. In this way, $connection will only be true if authentication succeeded or was not required,

I report this bug here because it is also a non expected behavior, irrespectively of any attack. When authentication fails, it should be reported a failed authentication, not as a failed From address. It is not just a securirty risk. It is very confusing to be told that the From address failed when, in fact, we simply failed authentication.

Comments

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

OK, it is not a big security issue. The only harm that is created is that the sender is misinforned when authentication fails. This is why I did not post it on the security forum. Still, I think it will help that
the sender is well informed when authentication fails. The situation, at that level, is worst than I tought.
If $this->smtp->Connected() is true, then the while loop and authentication are never executed in the SmtpConnect() function, even if authentication is required ! Therefore, unless I am missing something, the statement $connection = ($this->smtp->Connected()); before the while loop should be $connection = false;. This is in addition to the modification that is proposed above, which, BTW, is equivalent to moving the assignment $connection = true; before the if($this->SMTPAuth) statement.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Priority: Critical » Normal
Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Title: Failed authentication not properly managed - at the best reported as a failed From address. » No title
Project: SMTP Authentication Support » Annotation
Version: 5.x-1.x-dev » 4.1.x-1.x-dev
Component: Code » Documentation
Category: bug » task
Status: Active » Closed (fixed)
WorldFallz’s picture

WorldFallz CreditAttribution: WorldFallz commented
Title: No title » Failed authentication not properly managed - at the best reported as a failed From address

reverting title