[SOLVED] Swift security risk

Swift Mailer is a fantastic library for sending email with php. Discuss this library or ask any questions about it here.

Moderators: Chris Corbyn, General Moderators

Post Reply
daride
Forum Newbie
Posts: 2
Joined: Fri Jul 27, 2007 9:48 am

[SOLVED] Swift security risk

Post by daride »

Hello, I just noticed that when for instant you change the password of your smtp e-mail address on the server.
Swift trows up a nice error message:

Code: Select all

Fatal error: Uncaught exception 'Swift_Connection_Exception' with message 'Authentication failed using username 'kijssel@xs4all.nl' and password '*******'' in /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift/Connection/SMTP.php:374 Stack trace: #0 /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift/Connection/SMTP.php(315): Swift_Connection_SMTP->runAuthenticators('kijssel@xs4all....', '********', Object(Swift)) #1 /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift.php(272): Swift_Connection_SMTP->postConnect(Object(Swift)) #2 /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift.php(229): Swift->handshake(Object(Swift_Events_ResponseEvent)) #3 /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift.php(102): Swift->connect() #4 /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/abuse.php(28): Swift->__ in /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift/Connection/SMTP.php on line 374
With the password included that is....
How can I counter-attack this error in the future?

-Vincent
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

You need to catch exceptions thrown by Swiftmailer.

Code: Select all

try {
$pSwift->send(...);
} catch(Exception $e) {
echo 'There was an error sending the email.';
}
daride
Forum Newbie
Posts: 2
Joined: Fri Jul 27, 2007 9:48 am

Post by daride »

Thank you very much.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

To take it a little further (and allow more custom logic)...

Code: Select all

try {
$pSwift->send(...);
} catch(Swift_Connection_Exception $e) {
echo 'There was an error Connecting to the server.' . $e->getMessage();
}

(not 100% sure on the getMessage method)
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

nickvd wrote:To take it a little further (and allow more custom logic)...

Code: Select all

try {
$pSwift->send(...);
} catch(Swift_Connection_Exception $e) {
echo 'There was an error Connecting to the server.' . $e->getMessage();
}

(not 100% sure on the getMessage method)
Yeah, the getMessage function is correct. The exceptions in Swiftmailer or basically just aliases of the default Exception to better explain what went wrong at first glance, even if the exception is not caught.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

That's right, you should catch it. However, this is the code:

Code: Select all

throw new Swift_ConnectionException("Authentication failed using username '" . $user . "' and password '". str_repeat("*", strlen($pass)) . "'";
It's starred out so all you know is the username. Are you saying the password is included? :?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Ah, gotcha, I misread that. Unfortunately I can't do anything about the stack trace, just catch the exception.
Post Reply