[Exim] E-mail address SQL problem

Top Page
Delete this message
Reply to this message
Author: Adam H. Pendleton
Date:  
To: exim-users
Subject: [Exim] E-mail address SQL problem
I'm not subscribed to the list, so could you please send replies
directly to me? Thanks!

In my exim configuration file, I have the following SQL command for
system-wide aliases:

# PgSQL system aliases
pgsql_sys_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup pgsql{SELECT dest FROM email_aliases \
            WHERE alias='${local_part}' AND type='system'}}


I am currently having a problem where an e-mail message *from* a user
with this e-mail address (obviously forged): "o'd@???". I won't
connect the dots here, but if you perform the above SQL query with the
local part of that e-mail address, it causes a pretty big problem.
Looking at it, it would appear that I could theoretically craft an
e-mail address that could be used as a SQL injection attack. In fact,
I've tried, and it works (with escape characters, think MAIL FROM:
<o'\;select\ *\ from\ table\;@yahoo.com>).

My questions are:

1. Why is exim performing this system aliases lookup for a from
address? Shouldn't sender verify be done somewhere else?

2. What can I do to prevent this from being a real problem?

ahp