I'm not subscribed to the list, so could you please send replies
directly to me? Thanks!
In my exim configuration file, I have the following SQL command for
system-wide aliases:
# PgSQL system aliases
pgsql_sys_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup pgsql{SELECT dest FROM email_aliases \
WHERE alias='${local_part}' AND type='system'}}
I am currently having a problem where an e-mail message *from* a user
with this e-mail address (obviously forged): "o'd@???". I won't
connect the dots here, but if you perform the above SQL query with the
local part of that e-mail address, it causes a pretty big problem.
Looking at it, it would appear that I could theoretically craft an
e-mail address that could be used as a SQL injection attack. In fact,
I've tried, and it works (with escape characters, think MAIL FROM:
<o'\;select\ *\ from\ table\;@yahoo.com>).
My questions are:
1. Why is exim performing this system aliases lookup for a from
address? Shouldn't sender verify be done somewhere else?
2. What can I do to prevent this from being a real problem?
ahp
