[Exim] Exim and SQL injection

Página superior
Este mensaje es parte del siguiente hilo:
MEl árbol completo de hilos, ordenados por fecha
M 
Odhiambo G. Washington, mensaje del ->
Eliminar este mensaje
Responder a este mensaje
Autor: Jan Suchanek
Fecha:  
A: exim-users
Asunto: [Exim] Exim and SQL injection
Hi,

I am using Exim with a PGSQL user account management. One thing I want
to use is SMTP AUTH with my database... something like:

fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::

server_condition = "${if eq \
{${lookup pgsql{SELECT pw FROM users WHERE localname='$1'}}} \
{$2} \
{yes}{no}}"
server_set_id = $1

which works quite good. But what happens when an user provides a
password like

';delete from users;'

(OK... it is not neccessary to grand the exim database user write
(insert/delete/update) rights on this table - I know this ...)

This injection is of course also possible at other places (get the users
of a list (how does exim handel e-mail address with ; and ' in it - this
are illegal characters in a e-mail address, aren't they)

So how do I secure exim?

- No write rights on all tables

what else should be kept in mind?

Thanks..

Jan


Este mensaje se envió a las siguientes listas de correo:
Exim-users
Información de la lista de correo | Mensajes cercanos		<-[Exim] re-exec of exim (/usr/sbin/exim) with -q failed: Permission deniedRe: [Exim] Fixing SPF Forward Problem by Reply-to: Hack?->
Tahini and Hummus and Cumin Development Archives administrado por cumin AdminsLurker (versión 2.3)