Re: [Exim] Exim and SQL injection

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Odhiambo G. Washington
Date:  
À: exim-users
Sujet: Re: [Exim] Exim and SQL injection
* Jan Suchanek <jan.suchanek@???> [20040322 12:25]: wrote:
> Hi,
>
> I am using Exim with a PGSQL user account management. One thing I want
> to use is SMTP AUTH with my database... something like:
>
> fixed_login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = Username:: : Password::
>
> server_condition = "${if eq \
> {${lookup pgsql{SELECT pw FROM users WHERE localname='$1'}}} \
> {$2} \
> {yes}{no}}"
> server_set_id = $1
>
> which works quite good. But what happens when an user provides a
> password like
>
> ';delete from users;'
>


grep quote_pgsql spec.txt

I believe that solves the problem.


> (OK... it is not neccessary to grand the exim database user write
> (insert/delete/update) rights on this table - I know this ...)
>
> This injection is of course also possible at other places (get the users
> of a list (how does exim handel e-mail address with ; and ' in it - this
> are illegal characters in a e-mail address, aren't they)
>
> So how do I secure exim?
>
> - No write rights on all tables


Depend on you situation. In mine, exim only does lookup, so I give it
the permissions to do "lookup" and that's it.


        cheers
       - wash
+----------------------------------+-----------------------------------------+
Odhiambo Washington                     . WANANCHI ONLINE LTD (Nairobi, KE)  |
<wash at wananchi dot com>              . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223                 . # 10286, 00100 NAIROBI             |
GSM: (+254) 733 744 121                 . (+254) 020 313 985 - 9             |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"
                         --from a /. post