[exim-dev] [Bug 3066] New: tainted search query is not prope…

Top Page
Delete this message
Reply to this message
Author: Exim Bugzilla
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 3066] tainted search query is not properly quoted discloses mysql password, [exim-dev] [Bug 3066] tainted search query is not properly quoted discloses mysql password, [exim-dev] [Bug 3066] tainted search query is not properly quoted discloses mysql password
Subject: [exim-dev] [Bug 3066] New: tainted search query is not properly quoted discloses mysql password
https://bugs.exim.org/show_bug.cgi?id=3066

            Bug ID: 3066
           Summary: tainted search query is not properly quoted  discloses
                    mysql password
           Product: Exim
           Version: 4.97
          Hardware: All
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Lookups
          Assignee: unallocated@???
          Reporter: david@???
                CC: exim-dev@???


When a tainted search query is not properly quoted mysql password is written to
the log file like this:

2024-01-10 07:23:19 1rNRzj-000000005h9-02A a tainted search query is not
properly quoted (ACL warn, /usr/local/exim/exim.acl 1645):
servers=sql.foo.bar/database/user/password; INSERT INTO emails
(mid,when,ip,email) VALUES ( '1rNRzj-000000005h9-02Aa-21895@???',
NOW(),'127.0.0.1','root@localhost')

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/