Re: [exim] Exim v4.72 - authenticating to server without hav…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-users
Sujet: Re: [exim] Exim v4.72 - authenticating to server without having a validaccount
On 09/07/2010 06:34 PM, Juergen Edner wrote:
>    fixed_cram:
>      driver = cram_md5
>      public_name = CRAM-MD5
>      server_secret = "\
>      ${if !eq{$1}{} \
>        {${lookup{$1}lsearch{/etc/mail-users.pwd}{$value}}}fail}"
>      server_set_id = $1


I may be reading this wrong, but you seem to be doing:

If the supplied name is null, fail.
Otherwise, lookup the name.
If the lookup works, compare the resulting password with that
supplied and pass or fail on the result.
If the lookup failed (because the name wasn't recognised)
compare the resulting *null string* with the supplied password.....

So if the spammer can guess a name you've not used, and
supplies a null password, they're in.

This result depends on your not supplying a {<string2>} for the
lookup, which is used in the lookup-failed case. I think you want
"fail" (minus the quotes, and without {} ) immediately after "{$value}".

Reference: http://exim.org/exim-html-4.69/doc/html/spec_html/ch11.html


Also, to be thoroughly up-to-date with recent exim releases, you
could be using "$auth1" rather than "$1"

Cheers,
     Jeremy