I am running a Drupal 7.41 site on PHP Version 5.2.17. I requested a password reset, and above the usual "Further instructions have been sent to your e-mail address" message, I got a long debug-type message which begins
2015-10-29 12:24:13 Connection: opening to 127.0.0.1:25, t=10, opt=array ( ) 2015-10-29 12:24:13 Connection: opened 2015-10-29 12:24:13 SMTP -> get_lines(): $data was "" 2015-10-29 12:24:13 SMTP -> get_lines(): $str is...
and ends
SMTP -> get_lines(): $data was "" 2015-10-29 12:24:13 SMTP -> get_lines(): $str is "250 Reset OK " 2015-10-29 12:24:13 SMTP -> get_lines(): $data is "250 Reset OK " 2015-10-29 12:24:13 SERVER -> CLIENT: 250 Reset OK
In the middle of all this it actually shows the password reset link - so anyone requesting a password reset can just go to this link and log straight in.
What on earth have I done to make my site so insecure??
Here are the things which I did to solve this:
1) Checked /admin/reports/status for problems.
2) Checked that /admin/config/development/logging had 'Error messages to display' set to None.
3) Checked that I didn't have any development-specific modules running.
4) Installed https://www.drupal.org/project/security_review and followed its recommendations.
5) Realised that I had installed https://www.drupal.org/project/phpmailer to send emails...
6) Checked the configuration of phpmailer at /admin/config/system/phpmailer, and found that under 'Advanced SMTP settings', I had 'Debug level' set to 'Full communication'. Kicked myself for being such an idiot, and changed it to 'Disabled'.
Problem solved.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.