[Exim] possible AUTH LOGIN bug

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: John Jetmore
Data:  
Para: exim-users
Assunto: [Exim] possible AUTH LOGIN bug
I've been testing various combination of good/bad/empty passwords and
usernames for all the auth types, and I found what looks to be a bug in
LOGIN. I have the following authenticator:

auth_login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if eq{${lookup{$1}dbmnz{GRULESD/auth.db}}}{$2}}{yes}{no}
server_set_id = $1

When I try to authenticate with a null username, $1 gets set to the
password. observe:

-> AUTH LOGIN
<- 334 VXNlcm5hbWU6
->
<- 334 UGFzc3dvcmQ6
-> dGVzdHBhc3M=
*** 535 Incorrect authentication data
=== No authentication type succeeded

The following entry gets put in the log file for this attempt:

2003-03-17 16:19:23 perl_auth_login authenticator failed for (HOST) [IP]: 535 Incorrect authentication data (set_id=testpass)

notice I'm logging $1 and the password shows up in the logfile. I have no
need for null usernames in real life, but I thought I'd report this.

--John