Re: [exim] MySQL Auth with SHA1 passwords?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJasen Betts at <-
M 
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: Re: [exim] MySQL Auth with SHA1 passwords?
Am 23.05.2013 13:45, schrieb Jasen Betts:
> On 2013-05-21, Cyborg <cyborg2@???> wrote:
>> Am 21.05.2013 10:53, schrieb Fabien Wang:
>>
>> just change the match from direct match to a indirect one:
>>
>>     server_condition = "${if and { \
>>                         {!eq{$1}{}} \
>>                         {!eq{$2}{}} \
>>                         {eq{1}{${lookup mysql{SELECT '1' FROM mailboxes WHERE  (domain =\
>>                         '${domain:$1}' \
>>                         AND password = sha1('$2') AND username = '${local_part:$1}')}{$value}fail}} }} {yes}{no}}"
>   That's a recipe for SQL injection,

>
>
because the mysqlquote() is missing, but that was already mentioned by
someone else.

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Exim with Dovecot, dovecot-lda, sieve and exim smart relayRe: [exim] SMTP-AUTH, Kerberos and SSL->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)