[exim-dev] [Bug 1643] Security hole in sqlite query

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1643] Security hole in sqlite query
https://bugs.exim.org/show_bug.cgi?id=1643

Phil Pennock <pdp@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED


--- Comment #1 from Phil Pennock <pdp@???> ---
Every piece of documentation on `server_secret` shows that you should use a
forced-fail in the expansion when the lookup doesn't match.

One example for `cyrusless_crammd5` does not use a forced-fail, but should. We
should fix that.

The correct config is:

server_secret = ${lookup sqlite{/etc/exim/accounts.db SELECT password FROM
accounts WHERE email='${quote_sqlite:$1}';}{$value}fail}

The security issue is nothing to do with sqlite and everything to do with
Exim's string language and how easy it is to create unexpected configuration
when not considering how things can fail. We can't do anything about this
without severely incompatible changes to how Exim is configured.

--
You are receiving this mail because:
You are on the CC list for the bug.