Re: [exim] SQL Injection

Page principale
Ce message fait partie du fil suivant :
M\Arborescence complète du fil triée par date
MMAdrian à <-
Warren à ->
Supprimer ce message
Répondre à ce message
Auteur: Jakob Hirsch
Date:  
À: Adrian
CC: exim-users
Sujet: Re: [exim] SQL Injection
Adrian wrote:

> By having
> server_condition = ${if crypteq {$3}{${lookup pgsql {SELECT password FROM users WHERE username='$2'}}}{yes}{no}}
> in the authenticator it was possible for me to execute a bad SQL query
> by sending this username:
> test'; INSERT INTO valid_email_addresses VALUES ('adrian', 'evil@???'); SELECT '

${quote_mysql:

> Is there a way to prevent this except by disabling write access for
> ths database user (which is certainly not a way to circumvent sql

It's always a good idea to have a database user with only the required
rights.


Ce message a été envoyé sur les listes de diffusion suivantes :
Exim-users
Informations sur la liste de diffusion | Messages voisins		<-[exim] SQL InjectionRe: [exim] problem with certain DNS lookups for NS records->
Tahini and Hummus and Cumin Development Archives administré par cumin AdminsLurker (version 2.3)