[Vmail-discuss] Important: problem with MySQL escaping
Chris Lightfoot
chris@xxxxxxxxxxxxx
Tue, 2 Jul 2002 13:10:44 +0100
We've discovered a (sadly fairly basic) error in the
suggested Exim configuration for vmail-sql.
Exim escapes the arguments to ${lookup mysql{...}}, but it
does not escape substituted strings within the query. So
where we have, for instance,
${lookup mysql{select ... where domain.domain_name = '$domain' ... } ...}
it should be replaced with
${lookup mysql{select ... where domain.domain_name = '${quote_mysql:$domain}'
Obviously this error creates the opportunity for a
security hole, since local parts at least may contain '
and various other nasty characters. If you have configured
vmail-sql so that Exim's access to the database is
read-only, this should only manifest itself as a denial of
service problem. In any case you should make the
modifications shown above.
Note also that in the specification of local_domains, you
must use two colons in the ${quote_mysql...} operator,
otherwise Exim thinks that you are terminating the list.
Cf.
http://www.exim.org/pipermail/exim-users/Week-of-Mon-20000515/018154.html
Apologies for this SNAFU.
--
I stops when I'm requested, although it spoils the ride/
So he can shout `Get out of it, we're full right up inside'.
(Flanders and Swann, `A Transport of Delight')