https://bugs.exim.org/show_bug.cgi?id=1643
Bug ID: 1643
Summary: Security hole in sqlite query
Product: Exim
Version: 4.85
Hardware: x86-64
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: SMTP Authentication
Assignee: pdp@???
Reporter: gorelov@???
CC: exim-dev@???
Greetings.
Got a thousands of outgoing spam.
I have:
a) only one auth method enabled (auth_cram_md5)
b) only one sqlite table
Config section:
auth_cram_md5:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup sqlite{/etc/exim/accounts.db SELECT password FROM
accounts WHERE email='${quote_sqlite:$1}';}}
The problem was when spammer authorizes with login that does not exists in the
table. Then query returns empty string and, for some unknown reason, secret
matches.
Had to change it to
server_secret = ${if \
eq {0}{${lookup sqlite{/etc/exim/accounts.db SELECT
count(*) FROM accounts WHERE email='${quote_sqlite:$1}';}}} \
{testkalpopa}{${lookup sqlite{/etc/exim/accounts.db SELECT
password FROM accounts WHERE email='${quote_sqlite:$1}';}}}
}
Now it denies wrong auth.
--
You are receiving this mail because:
You are on the CC list for the bug.
