Re: [exim] pgsql login allowing mysterious sending

Pàgina inicial
Delete this message
Reply to this message
Autor: Chris Wilson
Data:  
A: Chris Wilson
CC: Exim users list, Mark Adams
Assumpte: Re: [exim] pgsql login allowing mysterious sending
On Tue, 4 May 2010, Chris Wilson wrote:

> Your query will return no rows (empty string) for both username and
> password if the user does not exist. That's probably why this
> combination is allowed.


Sorry, I was slightly wrong. If the user doesn't exist, Exim compares the
empty string (returned from the database) with the supplied username.

If the supplied username is empty, this test passes. If the supplied
password is also empty then similarly, that test passes.

Cheers, Chris.
-- 
_ ___ __     _
  / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |