[Exim] Security when using quote_mysql?

Página Inicial
Delete this message
Reply to this message
Autor: Jakob Hirsch
Data:  
Para: exim-users
Assunto: [Exim] Security when using quote_mysql?
Hi,

According to exim-spec 6.12 backslashes should be escaped when using
quote_mysql. We use something like
where local_part="${quote_mysql:${extract {1}{@%!}{$1}}}"
in the server_password query for the cram-md5 authenticator (the first
part of 'user@domain' is extracted and used in the query) and the
problem right now is, that with exim -be it looks good but if you login
with 'user\@domain' the query badly fails:

Authentication failed for xxxxxxxxxxxxxxxxxxxxxxxxxx
[xxxxxxxxxxxxxxxxxxxx]: 435 Unable to authenticate at present: lookup of
" select password_hash from popbox where local_part='user\' and
domain_name='domain' " gave DEFER: MYSQL: query failed: You have an
error in your SQL syntax near 'domain' ' at line 1

Am I using quote_mysql in the wrong way or is this really a security
issue? (I think I'll workaround this at first by stripping all
backslashes...)

And even worse, I really don't think that such a verbose error message
should be sent back in the SMTP dialogue:

220 xxxxxxxxxxxxxxxxxxxxxxxxx ESMTP Exim 3.34 #1 Sun, 17 Mar 2002
05:22:16 +0100
auth cram-md5
334 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dXNlclxAZG9tYWluIDYyZWM2NWZmYTFhOTEzODM5ZDNlM2RmMDJhNmI4OThi
435 Unable to authenticate at present: lookup of " select password_hash
from popbox where local_part='user\' and domain_name='domain' " gave
DEFER: MYSQL: query failed: You have an error in your SQL syntax near
'domain' ' at line 1

quit
221 xxxxxxxxxxxxxxxxxxxxxxxxx closing connection


--
Bye, Jakob