[exim] Re: tainted search query is not properly quoted (rout…

Pàgina inicial
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
A: exim-users
Assumpte: [exim] Re: tainted search query is not properly quoted (router localWrite_gw, /etc/exim/configure 914)
On 15/11/2024 12:25, Luca Bertoncello via Exim-users wrote:
> I cannot understand "tainted search query is not properly quoted"...


Wow, that's pretty unreadable just due to the size of it.

Does mysql not have stored-procedures?

Anyway, I spot (at least) a bare "$message_headers" in there.
An attacker could very simply send you a custom header with
some SQL syntax in, causing your DB access to do something you
did not want to permit. Like deleting all your data.

You need to quote such items, which is why Exim is warning you
about it.

--
Cheers,
Jeremy

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/