Re: [exim] pgsql login allowing mysterious sending

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Chris Wilson
Date:  
À: Mark Adams
CC: Exim users list, Chris Wilson
Sujet: Re: [exim] pgsql login allowing mysterious sending
Hi Mark,

> I've tested again and it is accepting BOTH a blank username and password
> as successful.


OK, I understood from your initial description that you had already tested
this, which is why I didn't suggest it.

> We've added in an exception when the user is not found, which causes
> exim to receive an error and not accept blank username/password. This
> must be a problem with my Exim configuration though. If 0 row's are
> returned why isn't the authentication attempt rejected?


There is a section on this in the manual:

"Warning: If you use a lookup in the expansion to find the user's
password, be sure to make the authentication fail if the user is unknown.
There are good and bad examples at the end of the next section...

Why is this example incorrect? It works fine for existing users, but
consider what happens if a non-existent user name is given. The lookup
fails, but as no success/failure strings are given for the lookup, it
yields an empty string. Thus, to defeat the authentication, all a client
has to do is to supply a non-existent user name and an empty password."

Your query will return no rows (empty string) for both username and
password if the user does not exist. That's probably why this combination
is allowed.

Cheers, Chris.
-- 
_ ___ __     _
  / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |