On 2014-12-12, Jonathan Gilpin <[email protected]> wrote:
> > Hi, > > I have found spam has been sent out through our server by authenticated users > which don’t exist.. > > e.g ... > A=fixed_login:[email protected] > fixed_login: > driver = plaintext > public_name = LOGIN > server_prompts = "Username:: : Password::" > server_condition = ${lookup mysql{SELECT concat(local_part,'@',domain) FROM > MYSQL_AUTHTABLE WHERE (concat(local_part,'@',domain) = '$1' OR email = '$1') > AND password='$2'}{1}fail} > server_set_id = $1 > Can anyone give me any pointers? you're vulnerable to SQL injection, The way you have it any username works with the password "' OR ''='" also the pssword "'OR True --" etc... try this fix. server_condition = ${lookup mysql{SELECT \ concat(local_part,'@',domain) FROM MYSQL_AUTHTABLE\ WHERE (concat(local_part,'@',domain) = '${quote_mysql:$1}'\ OR email = '${quote_mysql:$1}') AND password='${quote_mysql:$2}' \ }{1}fail} -- umop apisdn -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
