On 15/11/2024 12:25, Luca Bertoncello via Exim-users wrote:
> I cannot understand "tainted search query is not properly quoted"...
Wow, that's pretty unreadable just due to the size of it.
Does mysql not have stored-procedures?
Anyway, I spot (at least) a bare "$message_headers" in there.
An attacker could very simply send you a custom header with
some SQL syntax in, causing your DB access to do something you
did not want to permit. Like deleting all your data.
You need to quote such items, which is why Exim is warning you
about it.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
