Package: dbmail-mysql Version: 1.2.11-1 Severity: grave Tags: security Justification: user security hole
Initially spotted as I'd tried to set up an account with an owner name of "Familly" and was being told that "Familly" was not a valid column in the table. Further investigation of the source code showed no escaping of user supplied data. I was using md5 passwords, so perhaps a quote or something managed to get into the query. I've downloaded version 2 from the upstream site and a lot of work has been done on this so I'm far happier to use that. The package design looks quite solid. I'd have still preferred parameterised queries as that's a lot more bulletproof. Version 2's database access has been spread around a little more so it's harder to retrofit that there (will take a bit more code reading to work out how best). I don't know whether or not MySQL or Postgress would take advantage of query caching if parameterised queries are used. Thanks - Richard -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.11-mm4 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Versions of packages dbmail-mysql depends on: ii debconf 1.4.47 Debian configuration management sy ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libmysqlclient10 3.23.56-2 LGPL-licensed client library for M ii ucf 1.17 Update Configuration File: preserv -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
