Re: [exim] mysql authentication problem...

Inizio della pagina
Delete this message
Reply to this message
Autore: Mike Cardwell
Data:  
To: exim-users
Oggetto: Re: [exim] mysql authentication problem...
John Doe wrote:

> End of the week => SELECT password instead of login, plus trailing "...
> I also changed a few things:
>
> AUTH_PLAIN_QUERY = SELECT login FROM emails WHERE login = '$2' AND password = MD5('$3')
> AUTH_LOGIN_QUERY = SELECT login FROM emails WHERE login = '$1' AND password = MD5('$2')
>
> PLAIN:
>   driver                     = plaintext
>   public_name                = PLAIN
>   server_prompts             = :
>   server_condition           = ${lookup mysql{AUTH_PLAIN_QUERY}{1}fail}
>   server_advertise_condition = ${if def:tls_cipher }
>   server_set_id              = $2

>
> LOGIN:
>   driver                     = plaintext
>   public_name                = LOGIN
>   server_prompts             = <| Username: | Password:
>   server_condition           = ${lookup mysql{AUTH_LOGIN_QUERY}{1}fail}
>   server_advertise_condition = ${if def:tls_cipher }
>   server_set_id              = $1

>
> Anything looks wrong or could be done better?


You're open to SQL injection attacks as you haven't escaped apostrophes
in the login name or password. For example:

login = '$2'

Should be:

login = '${quote_mysql:$2}'

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/