[AMaViS-user] lookup_sql: Insecure dependency in parameter 1 of DBI::db=HASH()

Wed, 21 Jun 2006 03:22:17 -0700 

Hi.

I've been using amavisd-2.1.2, and am now trying to upgrade to 2.4.1.
As far as I can tell, all my perl modules are up to date, and perl is
version 5.8.4.

I'm having trouble with tainted sql queries, though.

I'm getting this in my logs:

Jun 21 12:15:26 anubis.medic.chalmers.se amavis[20430]: [ID 702911 
local7.info] (hxaW.N) sql: preparing and executing: SELECT 
bypass_virus_checks,bypass_spam_checks,bypass_virus_checks AS 
virus_lover,bypass_virus_checks AS bypass_banned_checks,bypass_virus_checks AS 
banned_files_lover,policy_name,spam_tag_level,spam_kill_level,spam_kill_level 
AS spam_tag2_level,uname AS id FROM users WHERE uname IN (?,?,?,?)
Jun 21 12:15:26 anubis.medic.chalmers.se amavis[20430]: [ID 702911 
local7.warning] (hxaW.N) (!) lookup_sql: Insecure dependency in parameter 1 of 
DBI::db=HASH(0x155ac5c)->prepare method call while running with -T switch at 
(eval 36) line 136, <GEN6> line 49., ,
Jun 21 12:15:26 anubis.medic.chalmers.se amavis[20430]: [ID 702911 
local7.error] (hxaW.N) (!!) TROUBLE in check_mail: cached FAILED: Insecure 
dependency in parameter 1 of DBI::db=HASH(0x155ac5c)->prepare method call 
while running with -T switch at (eval 36) line 136, <GEN6> line 49. at (eval 
39) line 262, <GEN6> line 49.


My sql-related config looks like this:
============
@lookup_sql_dsn =
  ( ['DBI:mysql:database=sicconfd2:host=127.0.0.1',
  'user', 'password']);

$sql_select_policy = 'SELECT bypass_virus_checks,bypass_spam_checks,bypass_viru
s_checks AS virus_lover,bypass_virus_checks AS bypass_banned_checks,bypass_viru
s_checks AS banned_files_lover,policy_name,spam_tag_level,spam_kill_level,spam_
kill_level AS spam_tag2_level,uname AS id FROM users WHERE uname IN (%k)';

$sql_select_white_black_list = undef;
=============

Any ideas on where to look next, or what to do?

//Christer

-- 
| Hagåkersgatan 18C | Telefon: Hem 031 - 42 52 03     CTH: 031 - 772 5431     |
| 431 41 Mölndal    | Epost:   [EMAIL PROTECTED]  Nalle: +46 (0)707 535757  |
|                   | WWW:     http://www.cd.chalmers.se/~mort/               |
"An NT server can be run by an idiot, and usually is." -- Tom Holub, a.h.b-o-i




_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to