Hi All,
A few hours ago i received an e-mail message from Timo Sirainen (i
attached the message) regarding a dangerous security bug in the dbmail
imap daemon.
Roel just fixed up 'quick-fix' patches (attached with this message) for
this security bug since quite a lot of people are running the imap
server in production.
Please keep in mind that this doesn't take care of the whole problem.
It fixes the possibility of inserting SQL during the authentication
proces. An authenticated user
can still inject SQL into normal imap commands.
Fixing of the remainders of these problems and other problems as noted
in Timo Sirainen's message will be checked and fixed next monday.
CVS also has an updates version.
Good luck!
Eelco
> From: Timo Sirainen <tss@iki.fi>
> Date: vri jul 25, 2003 18:34:06 Europe/Amsterdam
> To: bug@dbmail.org
> Subject: dbmail 1.1 sql injections
>
> Looks like you've done nothing to prevent them. For example in login
> user name and mailbox names. Maybe elsewhere, didn't look enough. For
> example:
>
> x login "cras'; update users set passwd = 'bar' where userid = 'cras';
> select user_idnr, passwd, encryption_type FROM users WHERE userid =
> 'cras" "bar"
> x OK LOGIN completed
>
> Other things you might want to fix:
>
> strncpy() calls in build_imap_search() doesn't leave space for
> trailing \0.
>
> Handling literals in build_args_array_ext() doesn't limit the literal
> size in any way. So user could just make the server allocate as much
> memory as it wants to. Also you don't check if fgetc() returns -1, so
> user can just given literal size of 2GB and disconnect, and server
> will fill the memory with -1. And you might want to look at the
> literal stuff in
> http://irccrew.org/~cras/security/advisories/imap-clients.txt,
> although your server currently isn't vulnerable to it because you're
> using signed integers for cnt/quotedSize.
A few hours ago i received an e-mail message from Timo Sirainen (i
attached the message) regarding a dangerous security bug in the dbmail
imap daemon.
Roel just fixed up 'quick-fix' patches (attached with this message) for
this security bug since quite a lot of people are running the imap
server in production.
Please keep in mind that this doesn't take care of the whole problem.
It fixes the possibility of inserting SQL during the authentication
proces. An authenticated user
can still inject SQL into normal imap commands.
Fixing of the remainders of these problems and other problems as noted
in Timo Sirainen's message will be checked and fixed next monday.
CVS also has an updates version.
Good luck!
Eelco
> From: Timo Sirainen <tss@iki.fi>
> Date: vri jul 25, 2003 18:34:06 Europe/Amsterdam
> To: bug@dbmail.org
> Subject: dbmail 1.1 sql injections
>
> Looks like you've done nothing to prevent them. For example in login
> user name and mailbox names. Maybe elsewhere, didn't look enough. For
> example:
>
> x login "cras'; update users set passwd = 'bar' where userid = 'cras';
> select user_idnr, passwd, encryption_type FROM users WHERE userid =
> 'cras" "bar"
> x OK LOGIN completed
>
> Other things you might want to fix:
>
> strncpy() calls in build_imap_search() doesn't leave space for
> trailing \0.
>
> Handling literals in build_args_array_ext() doesn't limit the literal
> size in any way. So user could just make the server allocate as much
> memory as it wants to. Also you don't check if fgetc() returns -1, so
> user can just given literal size of 2GB and disconnect, and server
> will fill the memory with -1. And you might want to look at the
> literal stuff in
> http://irccrew.org/~cras/security/advisories/imap-clients.txt,
> although your server currently isn't vulnerable to it because you're
> using signed integers for cnt/quotedSize.
Attached Files:
-
dbauthmysql.c.patch (0.73 KB)
-
dbauthpgsql.c.patch (0.67 KB)