On Thu, 2006-08-17 at 17:19 +0000, Michael Tabolsky wrote: > On Thu, 2006-08-17 at 17:29 +0200, Lars Kneschke wrote: > > A webbased application has stored the database connection string in > > cleartext somewhere on the webserver. If you hack the webserver and get the > > sql connection setting you have access to the whole (imap)database. That's > > really bad. > > well, AFAIK dbmail-imapd keeps SQL password in memory, and if you > figure how to get it out using some overflow you can get the password. > That's theoretically. I am not a h4zkor myself, but yet it seems to be > achievable unless dbmail-imapd uses some clever memory allocations > which disallow the prediction of where the variables are located in > the memory.
I do not have experience with this type of obfuscation, and I'll venture a guess that Paul does not, either. If someone on the list does have an idea of how it might work, and would like to explain it, post a patch, and it all makes sense, I'd go for it ;-) Aaron
