[exim-dev] [Bug 1643] New: Security hole in sqlite query

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1643] New: Security hole in sqlite query
https://bugs.exim.org/show_bug.cgi?id=1643

            Bug ID: 1643
           Summary: Security hole in sqlite query
           Product: Exim
           Version: 4.85
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: SMTP Authentication
          Assignee: pdp@???
          Reporter: gorelov@???
                CC: exim-dev@???


Greetings.

Got a thousands of outgoing spam.

I have:
a) only one auth method enabled (auth_cram_md5)
b) only one sqlite table


Config section:



auth_cram_md5:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup sqlite{/etc/exim/accounts.db SELECT password FROM
accounts WHERE email='${quote_sqlite:$1}';}}



The problem was when spammer authorizes with login that does not exists in the
table. Then query returns empty string and, for some unknown reason, secret
matches.

Had to change it to



server_secret = ${if \
                    eq {0}{${lookup sqlite{/etc/exim/accounts.db SELECT
count(*) FROM accounts WHERE email='${quote_sqlite:$1}';}}} \
                    {testkalpopa}{${lookup sqlite{/etc/exim/accounts.db SELECT
password FROM accounts WHERE email='${quote_sqlite:$1}';}}}
                }




Now it denies wrong auth.

--
You are receiving this mail because:
You are on the CC list for the bug.