On 2014-12-12, Jonathan Gilpin <jonathan@???> wrote:
>
> Hi,
>
> I have found spam has been sent out through our server by authenticated users which don’t exist..
>
> e.g
...
> A=fixed_login:info@???
> fixed_login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = ${lookup mysql{SELECT concat(local_part,'@',domain) FROM MYSQL_AUTHTABLE WHERE (concat(local_part,'@',domain) = '$1' OR email = '$1') AND password='$2'}{1}fail}
> server_set_id = $1
> Can anyone give me any pointers?
you're vulnerable to SQL injection,
The way you have it any username works with the password "' OR ''='"
also the pssword "'OR True --" etc...
try this fix.
server_condition = ${lookup mysql{SELECT \
concat(local_part,'@',domain) FROM MYSQL_AUTHTABLE\
WHERE (concat(local_part,'@',domain) = '${quote_mysql:$1}'\
OR email = '${quote_mysql:$1}')
AND password='${quote_mysql:$2}' \
}{1}fail}
--
umop apisdn
