________________________________
From: John Jetmore <[email protected]>
To: Brian Spraker <[email protected]>
Cc: "[email protected]" <[email protected]>
Sent: Tuesday, September 27, 2011 8:02 PM
Subject: Re: [exim] Plain Authentication Failures
On Tue, Sep 27, 2011 at 6:29 PM, Brian Spraker <[email protected]> wrote:
> Hello all,
>
> Been struggling with a problem here. I am getting "535 incorrect
> authentication data" errors when folks attempt to use plain authentication.
>
> The odd thing is - I have users using Outlook and none of them appear to have
> the problems.
Outlook is likely using LOGIN while the others are using PLAIN. Just
guessing, but see below
> Here is my authenticators config:
>
> begin authenticators
>
> plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
> server_set_id = $auth2
> server_condition = ${lookup mysql{SELECT user_uid FROM horde_users WHERE
> user_uid ='${quote_mysql:$1}' AND user_pass ='${quote_mysql:$2}'}{1}fail}
> server_advertise_condition = true
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = ${lookup mysql{SELECT user_uid FROM horde_users WHERE
> user_uid="$1" AND user_pass="$2"}{1}fail}
> server_set_id = $1
> server_advertise_condition = false
PLAIN and LOGIN both use the same plaintext driver, but the vars are
different. In LOGIN the login creds are in $1 and $2 (although $auth1
and $auth2 are preferred now). In PLAIN, the creds are in $2 and $3
($auth2 and $auth3).
So, your LOGIN authenticator is correctly using $1 and $2. Your PLAIN
authenticator is incorrectly using $1 and $2. Try, in PLAIN, changing
the user_uid condition to $2 ($auth2) and the user_pass condition to
$3 ($auth3).
> Here is the error in the log:
>
> 2011-09-27 17:10:19 plain authenticator failed for
> android_5efb516d7ad14990.domain.com (localhost) [192.168.254.33]: 535
> Incorrect authentication data ([email protected])
Note that the error correctly references the user credential as
[email protected], which you set to $auth2 in the PLAIN authenticator,
but in your query you're using $1.
Also, I don't have a ton of mysql/exim experience, but it sure looks
like your LOGIN authenticator is a potential attack vector. You
should look into wrapping the user inputs ($1 and $2) in ${quote_mysql
like PLAIN.
---------------------------------
Thank you for the help John. You hit the nail on the head and that completely
took care of the problem. I had read something online about using $1 and then
choosing $2 or $3 as the password, but that didn't work either.
I had a friend of mine assist with troubleshooting. The
"server_advertise_condition" for "login:" was changed to false - and he could
no longer authenticate via Outlook. So as you pointed out, Outlook uses the
"login:" method.
After changing the $1 to a $2 and the $2 to a $3 in the "plain:" mechanism, the
Android device worked perfect.
As for the SQL injections - I was in the process of updating the "login:"
authentication just before I sent this to the board so that is why the "plain:"
has that fixed and the "login:" didn't - but it is all done now.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
