In the definition of the function SmtpConnect()
, if Connect()
is succesful $connection
is true at the end, even if authentication failed. One may think that, because there is a connection, we want it to be true. Actually, we don't becauise, if at the beginning of the function SmtpSend()
the value of $this->SmtpConnect()
is true, the remainder of the function is executed : the value of $smtp_from
is checked, etc. This is a security risk. If we are lucky, the failed authentication will be reported as a failed From address, but we shouldn't rely on that.
In the fonctiion SmtpConnect()
, I suggest to move the assignement $connection = true
before every thing else inside the body of the if($this->SMTPAuth)
statement and also add an else section to that if statement and copy again $connection = true
in there. In this way, $connection
will only be true if authentication succeeded or was not required,
I report this bug here because it is also a non expected behavior, irrespectively of any attack. When authentication fails, it should be reported a failed authentication, not as a failed From address. It is not just a securirty risk. It is very confusing to be told that the From address failed when, in fact, we simply failed authentication.
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedOK, it is not a big security issue. The only harm that is created is that the sender is misinforned when authentication fails. This is why I did not post it on the security forum. Still, I think it will help that
the sender is well informed when authentication fails. The situation, at that level, is worst than I tought.
If
$this->smtp->Connected()
is true, then the while loop and authentication are never executed in theSmtpConnect()
function, even if authentication is required ! Therefore, unless I am missing something, the statement$connection = ($this->smtp->Connected());
before the while loop should be$connection = false;
. This is in addition to the modification that is proposed above, which, BTW, is equivalent to moving the assignment$connection = true;
before theif($this->SMTPAuth)
statement.Comment #2
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #3
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #4
WorldFallz CreditAttribution: WorldFallz commentedreverting title