New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failing SMTP connection might result in information disclosure in password recovery #17091
Comments
I suppose in many cases the login be the same as the sender and the sender is kind of maybe guessable? Nonetheless could be replaced maybe automatically by catching exception and throwing it again? |
@tsteur Yes, exactly. Should be enough to do that for the password recovery only I guess, as that error message might be public visible |
It might be possible that PHPMailer changed the code to no longer return the full SMTP error message. Nevertheless in the password recovery we maybe shouldn't reveal any error details as it might be public. Might be better so show something unspecific like |
@sgiehl would there be much of a benefit? It might then be quite hard for users to troubleshoot where the problem is. I would have probably suggested the opposite to add maybe a sentence like "Please ask a Matomo administrator to check the configured Mail credentials in Matomo -> Administration -> General Settings". |
@tsteur It's just important we replace the message coming from PHPMailer as it might contain any information we might not want to disclose in password recovery. |
Decision: In conversation with @tsteur and @justinvelluppillai we resolved this by intending to create an FAQ. Now, the question is, should it be on one of these pages?
I think it should be 3., but 2. would get them there in one click with the current Google search for example: https://www.google.com/search?client=firefox-b-d&q=smtp+error+could+not+authenticate+matomo We checked the PHPMailer code and it throws a generic Exception for all errors, errors are translated, so even doing a substring match would be error prone. A bit unusual for such a high-profile project such as PHPMailer. So, in short, the best solution we figured is to create an FAQ which users/admins would find easily with a search engine. The original issue had already been resolved previously and we know no authentication configuration is leaked. |
I would create a new FAQ in the troubleshooting category like We could link to this new FAQ in https://matomo.org/faq/troubleshooting/faq_34856/ also. |
Changing library to PHPMailer already fixed this and we created FAQ for the error. |
When the SMTP connection is not set up correctly, or failing due to other reasons like #17026, requesting for password recovery currently displays the full error message returned from the SMTP server. This could for example include the sender mail address or the login.
As the password recovery is public available we should consider not showing the full error message in this case.
The text was updated successfully, but these errors were encountered: