* Jan Suchanek <jan.suchanek@???> [20040322 12:25]: wrote:
> Hi,
>
> I am using Exim with a PGSQL user account management. One thing I want
> to use is SMTP AUTH with my database... something like:
>
> fixed_login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = Username:: : Password::
>
> server_condition = "${if eq \
> {${lookup pgsql{SELECT pw FROM users WHERE localname='$1'}}} \
> {$2} \
> {yes}{no}}"
> server_set_id = $1
>
> which works quite good. But what happens when an user provides a
> password like
>
> ';delete from users;'
>
grep quote_pgsql spec.txt
I believe that solves the problem.
> (OK... it is not neccessary to grand the exim database user write
> (insert/delete/update) rights on this table - I know this ...)
>
> This injection is of course also possible at other places (get the users
> of a list (how does exim handel e-mail address with ; and ' in it - this
> are illegal characters in a e-mail address, aren't they)
>
> So how do I secure exim?
>
> - No write rights on all tables
Depend on you situation. In mine, exim only does lookup, so I give it
the permissions to do "lookup" and that's it.
cheers
- wash
+----------------------------------+-----------------------------------------+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) |
<wash at wananchi dot com> . 1ere Etage, Loita Hse, Loita St., |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"
--from a /. post
