Page 1 of 1

[SOLVED] Swift security risk

Posted: Fri Jul 27, 2007 9:56 am
by daride
Hello, I just noticed that when for instant you change the password of your smtp e-mail address on the server.
Swift trows up a nice error message:

Code: Select all

Fatal error: Uncaught exception 'Swift_Connection_Exception' with message 'Authentication failed using username 'kijssel@xs4all.nl' and password '*******'' in /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift/Connection/SMTP.php:374 Stack trace: #0 /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift/Connection/SMTP.php(315): Swift_Connection_SMTP->runAuthenticators('kijssel@xs4all....', '********', Object(Swift)) #1 /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift.php(272): Swift_Connection_SMTP->postConnect(Object(Swift)) #2 /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift.php(229): Swift->handshake(Object(Swift_Events_ResponseEvent)) #3 /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift.php(102): Swift->connect() #4 /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/abuse.php(28): Swift->__ in /mounted-storage/home51c/sub006/sc34838-NZUT/wmstek/admin/includes/classes/swiftmailer/lib/Swift/Connection/SMTP.php on line 374
With the password included that is....
How can I counter-attack this error in the future?

-Vincent

Posted: Fri Jul 27, 2007 9:58 am
by superdezign
You need to catch exceptions thrown by Swiftmailer.

Code: Select all

try {
$pSwift->send(...);
} catch(Exception $e) {
echo 'There was an error sending the email.';
}

Posted: Fri Jul 27, 2007 10:18 am
by daride
Thank you very much.

Posted: Fri Jul 27, 2007 11:28 am
by nickvd
To take it a little further (and allow more custom logic)...

Code: Select all

try {
$pSwift->send(...);
} catch(Swift_Connection_Exception $e) {
echo 'There was an error Connecting to the server.' . $e->getMessage();
}

(not 100% sure on the getMessage method)

Posted: Fri Jul 27, 2007 11:37 am
by superdezign
nickvd wrote:To take it a little further (and allow more custom logic)...

Code: Select all

try {
$pSwift->send(...);
} catch(Swift_Connection_Exception $e) {
echo 'There was an error Connecting to the server.' . $e->getMessage();
}

(not 100% sure on the getMessage method)
Yeah, the getMessage function is correct. The exceptions in Swiftmailer or basically just aliases of the default Exception to better explain what went wrong at first glance, even if the exception is not caught.

Posted: Fri Jul 27, 2007 12:54 pm
by Chris Corbyn
That's right, you should catch it. However, this is the code:

Code: Select all

throw new Swift_ConnectionException("Authentication failed using username '" . $user . "' and password '". str_repeat("*", strlen($pass)) . "'";
It's starred out so all you know is the username. Are you saying the password is included? :?

Posted: Fri Jul 27, 2007 12:56 pm
by Chris Corbyn
Ah, gotcha, I misread that. Unfortunately I can't do anything about the stack trace, just catch the exception.