[exim-dev] [Bug 2021] New: DB query lookups that include a c…

Góra strony
Delete this message
Reply to this message
Autor: admin
Data:  
Dla: exim-dev
Nowe tematy: [exim-dev] [Bug 2021] DB query lookups that include a complete server parameter set will misinterpret semicolons in the db password, [exim-dev] [Bug 2021] DB query lookups that include a complete server parameter set will misinterpret semicolons in the db password
Temat: [exim-dev] [Bug 2021] New: DB query lookups that include a complete server parameter set will misinterpret semicolons in the db password
https://bugs.exim.org/show_bug.cgi?id=2021

            Bug ID: 2021
           Summary: DB query lookups that include a complete server
                    parameter set will misinterpret semicolons in the db
                    password
           Product: Exim
           Version: 4.88
          Hardware: All
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Lookups
          Assignee: nigel@???
          Reporter: peter_kelm@???
                CC: exim-dev@???


Section 9.23 (Specifying the server in the query) of the exim specification
explains that a complete database server parameter set can be prepended to a
query/lookup statement. This is problematic if the database password contains a
semicolon (or more) as everything after the (first) semicolon is
(mis)interpreted as being part of the SQL query. Accordingly, the lookup fails.

>From an exim debug run:

===
31568 MySQL query: servers=127.0.0.1/atmail/msql/aBcDeFgHi;x; select count(id)
from Log_SendMail where LogDate > DATE_SUB(NOW(), INTERVAL 60 MINUTE) AND
Account = '742031454@???'
31568 MYSQL using cached connection for 127.0.0.1/atmail/msql
31568 MYSQL: query failed: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax to
use near 'x; select count(id) from Log_SendMail where LogDate > DATE_SUB(NOW(),
INTERVAL 6' at line 1
===

In the debug output the issue is rather obvious as the password "aBcDeFgHi;x"
and the SQL query appear side by side. However, on webmail solutions where the
database information is specified during installation or via the web
administration frontend it is much more difficult to diagnose. A simple
password change would be enough bring those systems down inadvertedly. (We've
asked our email software manufacturer to address this issue in their system.)

The "hide mysql_servers = " part is not susceptible to such behavior.

The associated security risk seems rather low as the database would not be
accessible with a partial password and the admin user would know the db
password anyway.

I would like to suggest to remove the clause: "If it contains any slashes, it
is taken as a complete parameter set." from the spec and instead extend the
mysql_servers to include access properties (read/update) to cover the
master/slave scenarios described at the end of section 9.23.

--
You are receiving this mail because:
You are on the CC list for the bug.