Re: [exim] pgsql login allowing mysterious sending

Top Page
Delete this message
Reply to this message
Author: Mark Adams
Date:  
To: Chris Wilson
CC: Exim users list
Subject: Re: [exim] pgsql login allowing mysterious sending
Another lesson to RTFM! Thanks for your help Chris.

Regards,
Mark

On Tue, May 04, 2010 at 01:12:20PM +0200, Chris Wilson wrote:
> Hi Mark,
>
>> I've tested again and it is accepting BOTH a blank username and password
>> as successful.
>
> OK, I understood from your initial description that you had already
> tested this, which is why I didn't suggest it.
>
>> We've added in an exception when the user is not found, which causes
>> exim to receive an error and not accept blank username/password. This
>> must be a problem with my Exim configuration though. If 0 row's are
>> returned why isn't the authentication attempt rejected?
>
> There is a section on this in the manual:
>
> "Warning: If you use a lookup in the expansion to find the user's
> password, be sure to make the authentication fail if the user is unknown.
> There are good and bad examples at the end of the next section...
>
> Why is this example incorrect? It works fine for existing users, but
> consider what happens if a non-existent user name is given. The lookup
> fails, but as no success/failure strings are given for the lookup, it
> yields an empty string. Thus, to defeat the authentication, all a client
> has to do is to supply a non-existent user name and an empty password."
>
> Your query will return no rows (empty string) for both username and
> password if the user does not exist. That's probably why this combination
> is allowed.
>
> Cheers, Chris.
> -- 
> _ ___ __     _
>  / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
> / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
> \ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |