[Exim] Empty password/CDB lookup gotcha

Top Page
Delete this message
Reply to this message
Author: Paul Makepeace
Date:  
To: exim-users
Subject: [Exim] Empty password/CDB lookup gotcha
Spot the bug in the following line, and how to exploit it:

server_condition = ${if eq{$3}{${lookup {$2} cdb {/etc/mail/smtpauth.cdb}{$value}}}{yes}{no}}

The exploit is that empty passwords given during the AUTH phase match
nicely with non-existent users in the CDB file.

Instead,

server_condition = ${if and { {!eq {$2}{}} {eq{$2}{${lookup {$1} cdb {/etc/mail/smtpauth.cdb}{$value}}}} } {yes}{no}}

which ensures there's a password in there. I wonder how many other
checks let an empty password slip by? Seems an easy mistake to make.

Unfortunately this error was spotted by a spammer who AUTH LOGIN'ed as
webmaster with no password, and effectively turned one of my MTAs into
an open relay. Fortunately I caught it as spamassassin tripped a load
meter but it was still an ugly scene. I haven't fully analyzed it yet
but the spamming seemed distributed - all sorts of IPs "realized" the
situation at once.

Paul

--
Paul Makepeace ....................................... http://paulm.com/

"If I gave out fish, then I am a girl."
-- http://paulm.com/toys/surrealism/