[exim] Re: tainted search query is not properly quoted (rout…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Jeremy Harris
Dátum:  
Címzett: exim-users
Tárgy: [exim] Re: tainted search query is not properly quoted (router localWrite_gw, /etc/exim/configure 914)
On 15/11/2024 12:25, Luca Bertoncello via Exim-users wrote:
> I cannot understand "tainted search query is not properly quoted"...


Wow, that's pretty unreadable just due to the size of it.

Does mysql not have stored-procedures?

Anyway, I spot (at least) a bare "$message_headers" in there.
An attacker could very simply send you a custom header with
some SQL syntax in, causing your DB access to do something you
did not want to permit. Like deleting all your data.

You need to quote such items, which is why Exim is warning you
about it.

--
Cheers,
Jeremy

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/