[exim-dev] [Bug 1666] New: exim should log unexpanded querie…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: admin
Datum:  
To: exim-dev
Neue Treads: [exim-dev] [Bug 1666] exim should log unexpanded queries
Betreff: [exim-dev] [Bug 1666] New: exim should log unexpanded queries
https://bugs.exim.org/show_bug.cgi?id=1666

            Bug ID: 1666
           Summary: exim should log unexpanded queries
           Product: Exim
           Version: 4.86
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Logging
          Assignee: nigel@???
          Reporter: arekm@???
                CC: exim-dev@???


If you use authenticator query like this:

server_condition = ${lookup mysql{SELECT .... WHERE
ENCRYPT('${quote_mysql:$auth2}')...}

then in case of sql db problems exim will happily log expanded query revealing
auth2 in plain text for example. Depending on user queries such logging my
reveal many things.

Like:

2015-08-03 10:21:36 login authenticator failed for ...: 435 Unable to
authenticate at present ...: lookup of "SELECT
...ENCRYPT('my-secret-pass-1234'...gave DEFER: MYSQL connection failed: Access
denied for user ...


That's quite bad. Exim while logging should log unexpanded sql query if
possible to never reveal such data.

--
You are receiving this mail because:
You are on the CC list for the bug.