[Exim] possible AUTH LOGIN bug

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Philip Hazel at ->
Delete this message
Reply to this message
Author: John Jetmore
Date:  
To: exim-users
Subject: [Exim] possible AUTH LOGIN bug
I've been testing various combination of good/bad/empty passwords and
usernames for all the auth types, and I found what looks to be a bug in
LOGIN. I have the following authenticator:

auth_login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if eq{${lookup{$1}dbmnz{GRULESD/auth.db}}}{$2}}{yes}{no}
server_set_id = $1

When I try to authenticate with a null username, $1 gets set to the
password. observe:

-> AUTH LOGIN
<- 334 VXNlcm5hbWU6
->
<- 334 UGFzc3dvcmQ6
-> dGVzdHBhc3M=
*** 535 Incorrect authentication data
=== No authentication type succeeded

The following entry gets put in the log file for this attempt:

2003-03-17 16:19:23 perl_auth_login authenticator failed for (HOST) [IP]: 535 Incorrect authentication data (set_id=testpass)

notice I'm logging $1 and the password shows up in the logfile. I have no
need for null usernames in real life, but I thought I'd report this.

--John



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Reaction to rude 554 greetingRe: [Exim] Virtual domain setup redux->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)