On Thu, 2006-08-17 at 10:48 -0700, Aaron Stone wrote: > On Thu, 2006-08-17 at 17:19 +0000, Michael Tabolsky wrote: > > On Thu, 2006-08-17 at 17:29 +0200, Lars Kneschke wrote: > > > A webbased application has stored the database connection string in > > > cleartext somewhere on the webserver. If you hack the webserver and get > > > the > > > sql connection setting you have access to the whole (imap)database. That's > > > really bad. > > > > well, AFAIK dbmail-imapd keeps SQL password in memory, and if you > > figure how to get it out using some overflow you can get the password. > > That's theoretically. I am not a h4zkor myself, but yet it seems to be > > achievable unless dbmail-imapd uses some clever memory allocations > > which disallow the prediction of where the variables are located in > > the memory. > > I do not have experience with this type of obfuscation, and I'll venture > a guess that Paul does not, either. If someone on the list does have an > idea of how it might work, and would like to explain it, post a patch, > and it all makes sense, I'd go for it ;-)
memset(passwd,0,strlen(passwd)); after connect. Let it run for a bit, and send it SIGABRT to force it to core dump. Run strings on the dump to see if you can find the password still. This doesn't (however) solve the problem that a leett "h4zkor" couldn't perform other attacks- they already have an SQL connection open and could change other users' passwords. http://www.dbmail.org/dokuwiki/doku.php?id=privsep would indeed prevent this attack (and others!) -- Internet Connection High Quality Web Hosting http://www.internetconnection.net/
