Hi All,A few hours ago i received an e-mail message from Timo Sirainen (i attached the message) regarding a dangerous security bug in the dbmail imap daemon. Roel just fixed up 'quick-fix' patches (attached with this message) for this security bug since quite a lot of people are running the imap server in production.
Please keep in mind that this doesn't take care of the whole problem. It fixes the possibility of inserting SQL during the authentication proces. An authenticated user
can still inject SQL into normal imap commands.Fixing of the remainders of these problems and other problems as noted in Timo Sirainen's message will be checked and fixed next monday.
CVS also has an updates version. Good luck! Eelco
From: Timo Sirainen <[EMAIL PROTECTED]> Date: vri jul 25, 2003 18:34:06 Europe/Amsterdam To: [EMAIL PROTECTED] Subject: dbmail 1.1 sql injectionsLooks like you've done nothing to prevent them. For example in login user name and mailbox names. Maybe elsewhere, didn't look enough. For example:x login "cras'; update users set passwd = 'bar' where userid = 'cras'; select user_idnr, passwd, encryption_type FROM users WHERE userid = 'cras" "bar"x OK LOGIN completed Other things you might want to fix:strncpy() calls in build_imap_search() doesn't leave space for trailing \0.Handling literals in build_args_array_ext() doesn't limit the literal size in any way. So user could just make the server allocate as much memory as it wants to. Also you don't check if fgetc() returns -1, so user can just given literal size of 2GB and disconnect, and server will fill the memory with -1. And you might want to look at the literal stuff in http://irccrew.org/~cras/security/advisories/imap-clients.txt, although your server currently isn't vulnerable to it because you're using signed integers for cnt/quotedSize.
dbauthmysql.c.patch
Description: Binary data
dbauthpgsql.c.patch
Description: Binary data
_________________________ E.J.A. van Beek ICT Manager IC&S T: +31 30 2322878 F: +31 30 2322305 PGP-key: www.ic-s.nl/keys/eelco.txt
