Aaron Stone wrote: > On Thu, 2006-08-17 at 17:19 +0000, Michael Tabolsky wrote: >> On Thu, 2006-08-17 at 17:29 +0200, Lars Kneschke wrote: >>> A webbased application has stored the database connection string in >>> cleartext somewhere on the webserver. If you hack the webserver and get the >>> sql connection setting you have access to the whole (imap)database. That's >>> really bad. >> well, AFAIK dbmail-imapd keeps SQL password in memory, and if you >> figure how to get it out using some overflow you can get the password. >> That's theoretically. I am not a h4zkor myself, but yet it seems to be >> achievable unless dbmail-imapd uses some clever memory allocations >> which disallow the prediction of where the variables are located in >> the memory. > > I do not have experience with this type of obfuscation, and I'll venture > a guess that Paul does not, either. If someone on the list does have an > idea of how it might work, and would like to explain it, post a patch, > and it all makes sense, I'd go for it ;-)
We could access the password only just before when we need it: during connecting, and forget about it when we're done. However, if a hacker controls a dbmail program, he may as well be considered to have read access to dbmail.conf. No easy way around that. -- ________________________________________________________________ Paul Stevens paul at nfg.nl NET FACILITIES GROUP GPG/PGP: 1024D/11F8CD31 The Netherlands________________________________http://www.nfg.nl
