Skip to content

smtplib — cleartext

Cleartext Transmission of Sensitive Information in the smtplib Module

The Python module smtplib provides a number of functions for accessing SMTP servers. However, the default behavior of the module does not provide utilize secure connections. This means that data transmitted over the network, including passwords, is sent in cleartext. This makes it possible for attackers to intercept and read this data.

The Python module smtplib should only in a secure mannner to protect sensitive data when accessing SMTP servers.

Example

smtplib_smtp_login.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import smtplib


def prompt(prompt):
    return input(prompt).strip()

fromaddr = prompt("From: ")
toaddrs  = prompt("To: ").split()
print("Enter message, end with ^D (Unix) or ^Z (Windows):")

# Add the From: and To: headers at the start!
msg = ("From: %s\r\nTo: %s\r\n\r\n" % (fromaddr, ", ".join(toaddrs)))
while True:
    try:
        line = input()
    except EOFError:
        break
    if not line:
        break
    msg = msg + line

print("Message length is", len(msg))

server = smtplib.SMTP('localhost')
server.login("user", "password")
server.set_debuglevel(1)
server.sendmail(fromaddr, toaddrs, msg)
server.quit()
Example Output 
> precli tests/unit/rules/python/stdlib/smtplib/examples/smtplib_smtp_login.py
⛔️ Error on line 25 in tests/unit/rules/python/stdlib/smtplib/examples/smtplib_smtp_login.py
PY016: Cleartext Transmission of Sensitive Information
The 'smtplib.SMTP.login' function will transmit authentication information such as a user, password in cleartext.

Remediation

If the SMTP protocol must be used and sensitive data will be transferred, it is recommended to secure the connection using SMTP_SSL class. Alternatively, the starttls function can be used to enter a secure session.

smtplib_smtp_login.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import smtplib


def prompt(prompt):
    return input(prompt).strip()

fromaddr = prompt("From: ")
toaddrs  = prompt("To: ").split()
print("Enter message, end with ^D (Unix) or ^Z (Windows):")

# Add the From: and To: headers at the start!
msg = ("From: %s\r\nTo: %s\r\n\r\n" % (fromaddr, ", ".join(toaddrs)))
while True:
    try:
        line = input()
    except EOFError:
        break
    if not line:
        break
    msg = msg + line

print("Message length is", len(msg))

server = smtplib.SMTP_SSL('localhost')
server.login("user", "password")
server.set_debuglevel(1)
server.sendmail(fromaddr, toaddrs, msg)
server.quit()

Default Configuration

enabled = true
level = "error"

See also

Info

New in version 0.1.9