Re: [exim] Exim v4.72 - authenticating to server without hav…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Juergen Edner
Data:  
Para: exim-users
Asunto: Re: [exim] Exim v4.72 - authenticating to server without having a valid account
Hello Jeremy,

>> fixed_cram:
>> driver = cram_md5
>> public_name = CRAM-MD5
>> server_secret = "\
>> ${if !eq{$1}{} \
>> {${lookup{$1}lsearch{/etc/mail-users.pwd}{$value}}}fail}"
>> server_set_id = $1
>
> I may be reading this wrong, but you seem to be doing:
>
> If the supplied name is null, fail.
> Otherwise, lookup the name.
> If the lookup works, compare the resulting password with that
> supplied and pass or fail on the result.
> If the lookup failed (because the name wasn't recognised)
> compare the resulting *null string* with the supplied password.....
>
> So if the spammer can guess a name you've not used, and
> supplies a null password, they're in.
>
> This result depends on your not supplying a {<string2>} for the
> lookup, which is used in the lookup-failed case. I think you want
> "fail" (minus the quotes, and without {} ) immediately after
> "{$value}".


thank you for that explanation. I've already modified the lookup
string and added a "fail" after the {value} string as recommended.

I cannot exactly remember where I got this lookup syntax from but
I think there are many "wrong" examples on the Internet and due to
the fact that syntax is working in most cases it's difficult to
identify this special case.

> Also, to be thoroughly up-to-date with recent exim releases, you
> could be using "$auth1" rather than "$1"


Thanks again for the hint, I'll change it instantly.

Regards
Juergen
--
GPG Key available