Re: [exim] spam sent by non-existent users

Top Page
Delete this message
Reply to this message
Author: Jasen Betts
Date:  
To: exim-users
Subject: Re: [exim] spam sent by non-existent users
On 2014-12-12, Jonathan Gilpin <jonathan@???> wrote:


>
> Hi,
>
> I have found spam has been sent out through our server by authenticated users which don’t exist..
>
> e.g

...
> A=fixed_login:info@???


> fixed_login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = ${lookup mysql{SELECT concat(local_part,'@',domain) FROM MYSQL_AUTHTABLE WHERE (concat(local_part,'@',domain) = '$1' OR email = '$1') AND password='$2'}{1}fail}
> server_set_id = $1


> Can anyone give me any pointers?


you're vulnerable to SQL injection,

The way you have it any username works with the password "' OR ''='"
also the pssword "'OR True --" etc...

try this fix.

 server_condition = ${lookup mysql{SELECT \
    concat(local_part,'@',domain) FROM MYSQL_AUTHTABLE\
    WHERE (concat(local_part,'@',domain) = '${quote_mysql:$1}'\
       OR email = '${quote_mysql:$1}') 
      AND password='${quote_mysql:$2}' \
   }{1}fail}



--
umop apisdn