Re: [Exim] [ Exim 3.36 ] SMTP AUTH hacked ?

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Oliver Fleischmann
CC: exim-users
Subject: Re: [Exim] [ Exim 3.36 ] SMTP AUTH hacked ?
On Wed, 5 Mar 2003, Oliver Fleischmann wrote:

> Is the example in the Exim book (on page 365) save?
>
> server_condition = ${if crypteq{$3}\
>    {${extract{1}{:}{${lookup{$2}lsearch{/etc/passwd}{$value}}}}\
>    }{yes}{no}}


Yes. Analysis: If the lookup fails, it will yield the empty string,
so you have

server_condition = ${if crypteq{$3}\
{${extract{1}{:}{}}\
}{yes}{no}}

Extracting the first string from an empty string also gives an empty
string, we we end up with

server_condition = ${if crypteq{$3}{}{yes}{no}}

The crypteq condition always fails if the encoded string has fewer than
two characters (the salt).

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.