Possible bug: SMTP Passwort

I am having a curious problem.

I don't use the SMTP Passwort so there should by rights be no content in it - but, there is

Looking at the rendered source code the first time I saw a value of "beZdAqp" - I have no idea where this came from.

If I delete the content of the SMTP password, save the changes and then go back, et voila, a new value is there.

If I make other changes to the config and save, then go back and look at the SMTP password, it gets bigger e.g:

• Change 1: YvnNMDy
• Change 2: WXZuTk1EeQ%%85ZJfAK
• Change 3: V1hadVRrMUVlUSUlODVaSmZBSw%%3b5Pykj

The password no matter the length is saved in the "siteCache.idx.php" everytime a change in the configuration is made, be the change to do with or not to do with the SMTP password.

Looking at: manager/actions/mutate_settings.dynamic.php I find the following for the value:


Any feedback is welcome

Cheers

Fixed here: https://github.com/dmi3yy/evolution/pull/159

Cheers Jako.

@ Jako

Just to let you know:

I have spent the last couple of hours installing a fresh copy from "dmi3yy / evolution" due to the problem I am having with umlauts.

After installing and setting the config I took a look at the SMTP password: the problem is still there, no change.

I can delete, but it always comes back, but this time I get the feeling the password is growing in length.

The password is not set - even if it shows a few signs - just to hide how many signs are in.

But maybe you have a smarter solution for that.

Quote from: Jako at Nov 06, 2013, 08:55 PM

The password is not set - even if it shows a few signs - just to hide how many signs are in.

Please forgive my lack of understanding but I am not sure I understand how this whole thing functions.

Everytime I make a modification in the configuration it saves the Modx generated smtp password to the siteCache.idx.php



Example:

Using "123456789" as a password produces the following in the sitecache file

If I then change a different setting in the configuration and save, the password is changed to:

If I make another modification the password changes again and at the same time it gets bigger

Is this supposed to happen ?

The SMTP password will be saved (somehow scrambled for sure) in DB and will be also saved in the cache (since all MODX settings are saved in cache).

Don't ask me if that is a real security issue. But if an attacker has come that far, he easily could read the DB too. And the SMTP Password has to be saved somewhere.

There is a second patch on that makes it possible to clean the saved value.

Tried and tested Thanks

That now clears the password permanently once initially deleted.

Just for understanding:

When I add a password and save, then make other changes and save and do that all again: why does the password info in the sitecache always change ?

Should not. Or does the setting changes in DB too? Then it is a bug - but I don't see one.

Quote from: Jako at Nov 06, 2013, 10:09 PM

Should not. Or does the setting changes in DB too? Then it is a bug - but I don't see one.

What I can see is that the DB (TABLENAME_system_settings => smtppw) changes, as does the sitecache.php

They each have the same content and change everytime I make a change to the manager configuration and save the changes

I just tested with password 123456

both sitecache and DB had the following:

1. initial password added 123456, saved and got: TVRJek5EVTJORHZxanNFG2yp3Bj
2. made a change in config, saved it and got: VFZSSmVrNUVWVEpPUkhaeGFuTkZHMnlwM0Jq2DEL9Xz
3. made a third change and got: VkZaU1NtVnJOVVZXVkVwUFVraGFlR0Z1VGtaSE1ubHdNMEpxMkRFTDlYeg%%Xv9VEFR

After each save, I checked both the DB and sitecache.php - they both had the same info