[Exim] Exim and SQL injection

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jan Suchanek
Date:  
À: exim-users
Sujet: [Exim] Exim and SQL injection
Hi,

I am using Exim with a PGSQL user account management. One thing I want
to use is SMTP AUTH with my database... something like:

fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::

server_condition = "${if eq \
{${lookup pgsql{SELECT pw FROM users WHERE localname='$1'}}} \
{$2} \
{yes}{no}}"
server_set_id = $1

which works quite good. But what happens when an user provides a
password like

';delete from users;'

(OK... it is not neccessary to grand the exim database user write
(insert/delete/update) rights on this table - I know this ...)

This injection is of course also possible at other places (get the users
of a list (how does exim handel e-mail address with ; and ' in it - this
are illegal characters in a e-mail address, aren't they)

So how do I secure exim?

- No write rights on all tables

what else should be kept in mind?

Thanks..

Jan