Bug#303991: dbmail-mysql: Does not do escaping in mysql version - both a worrying flaw and stops adduser working

Sun, 10 Apr 2005 02:38:12 -0700 

Richard,

dbmail-1.2 was already pulled from testing because of the sql-injection bug.

You can use debian packages for dbmail-2 by adding to your sources.list:

deb http://debian.nfgd.net/debian unstable main

The packages are called dbmail2-mysql and dbmail2-pgsql. They are just about ready for upload to debian proper. I'll probably request removal of dbmail-1 from unstable next week or so.


Richard Corfield wrote: 
Package: dbmail-mysql
Version: 1.2.11-1
Severity: grave
Tags: security
Justification: user security hole


Initially spotted as I'd tried to set up an account with an owner name of
"Familly" and was being told that "Familly" was not a valid column in
the table. Further investigation of the source code showed no escaping
of user supplied data. I was using md5 passwords, so perhaps a quote or
something managed to get into the query.

I've downloaded version 2 from the upstream site and a lot of work has
been done on this so I'm far happier to use that. The package design
looks quite solid. I'd have still preferred parameterised queries as
that's a lot more bulletproof. Version 2's database access has been
spread around a little more so it's harder to retrofit that there
(will take a bit more code reading to work out how best).  I don't know
whether or not MySQL or Postgress would take advantage of query caching
if parameterised queries are used.

Thanks

 - Richard

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-mm4
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages dbmail-mysql depends on:
ii  debconf                     1.4.47       Debian configuration management sy
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libmysqlclient10            3.23.56-2    LGPL-licensed client library for M
ii  ucf                         1.17         Update Configuration File: preserv



--
  ________________________________________________________________
  Paul Stevens                                  mailto:[EMAIL PROTECTED]
  NET FACILITIES GROUP                     PGP: finger [EMAIL PROTECTED]
  The Netherlands________________________________http://www.nfg.nl


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to