https://bugs.exim.org/show_bug.cgi?id=2021
Bug ID: 2021
Summary: DB query lookups that include a complete server
parameter set will misinterpret semicolons in the db
password
Product: Exim
Version: 4.88
Hardware: All
OS: All
Status: NEW
Severity: bug
Priority: medium
Component: Lookups
Assignee: nigel@???
Reporter: peter_kelm@???
CC: exim-dev@???
Section 9.23 (Specifying the server in the query) of the exim specification
explains that a complete database server parameter set can be prepended to a
query/lookup statement. This is problematic if the database password contains a
semicolon (or more) as everything after the (first) semicolon is
(mis)interpreted as being part of the SQL query. Accordingly, the lookup fails.
>From an exim debug run:
===
31568 MySQL query: servers=127.0.0.1/atmail/msql/aBcDeFgHi;x; select count(id)
from Log_SendMail where LogDate > DATE_SUB(NOW(), INTERVAL 60 MINUTE) AND
Account = '742031454@???'
31568 MYSQL using cached connection for 127.0.0.1/atmail/msql
31568 MYSQL: query failed: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax to
use near 'x; select count(id) from Log_SendMail where LogDate > DATE_SUB(NOW(),
INTERVAL 6' at line 1
===
In the debug output the issue is rather obvious as the password "aBcDeFgHi;x"
and the SQL query appear side by side. However, on webmail solutions where the
database information is specified during installation or via the web
administration frontend it is much more difficult to diagnose. A simple
password change would be enough bring those systems down inadvertedly. (We've
asked our email software manufacturer to address this issue in their system.)
The "hide mysql_servers = " part is not susceptible to such behavior.
The associated security risk seems rather low as the database would not be
accessible with a partial password and the admin user would know the db
password anyway.
I would like to suggest to remove the clause: "If it contains any slashes, it
is taken as a complete parameter set." from the spec and instead extend the
mysql_servers to include access properties (read/update) to cover the
master/slave scenarios described at the end of section 9.23.
--
You are receiving this mail because:
You are on the CC list for the bug.