Re: [exim] SQL Injection

Página Inicial
Delete this message
Reply to this message
Autor: Warren
Data:  
CC: exim-users
Assunto: Re: [exim] SQL Injection
Adrian wrote:

>Hi,
>
>I've noticed that SQL Injection is possible when using a SQL Query for
>SMTP AUTH.
>By having
>server_condition = ${if crypteq {$3}{${lookup pgsql {SELECT password FROM users WHERE username='$2'}}}{yes}{no}}
>in the authenticator it was possible for me to execute a bad SQL query
>by sending this username:
>test'; INSERT INTO valid_email_addresses VALUES ('adrian', 'evil@???'); SELECT '
>
>Is there a way to prevent this except by disabling write access for
>ths database user (which is certainly not a way to circumvent sql
>injection problems). Maybe there exists a function to escape the
>arguments before they are inserted in the query?
>
>
>

Grant only SELECT access to the user accessing the database. Also make
use of ${*quote_pgsql...

http://www.exim.org/exim-html-4.60/doc/html/spec.html/ch09.html#id2546243
*
Warren