[Vmail-discuss] Important: problem with MySQL escaping

Chris Lightfoot chris@xxxxxxxxxxxxx
Tue, 2 Jul 2002 13:10:44 +0100

We've discovered a (sadly fairly basic) error in the
suggested Exim configuration for vmail-sql.

Exim escapes the arguments to ${lookup mysql{...}}, but it
does not escape substituted strings within the query. So
where we have, for instance,

  ${lookup mysql{select ... where domain.domain_name = '$domain' ... } ...}

it should be replaced with

  ${lookup mysql{select ... where domain.domain_name = '${quote_mysql:$domain}'

Obviously this error creates the opportunity for a
security hole, since local parts at least may contain '
and various other nasty characters. If you have configured
vmail-sql so that Exim's access to the database is
read-only, this should only manifest itself as a denial of
service problem. In any case you should make the
modifications shown above.

Note also that in the specification of local_domains, you
must use two colons in the ${quote_mysql...} operator,
otherwise Exim thinks that you are terminating the list.


Apologies for this SNAFU.

I stops when I'm requested, although it spoils the ride/
So he can shout `Get out of it, we're full right up inside'.
 (Flanders and Swann, `A Transport of Delight')