Another lesson to RTFM! Thanks for your help Chris. Regards, Mark
On Tue, May 04, 2010 at 01:12:20PM +0200, Chris Wilson wrote: > Hi Mark, > >> I've tested again and it is accepting BOTH a blank username and password >> as successful. > > OK, I understood from your initial description that you had already > tested this, which is why I didn't suggest it. > >> We've added in an exception when the user is not found, which causes >> exim to receive an error and not accept blank username/password. This >> must be a problem with my Exim configuration though. If 0 row's are >> returned why isn't the authentication attempt rejected? > > There is a section on this in the manual: > > "Warning: If you use a lookup in the expansion to find the user's > password, be sure to make the authentication fail if the user is unknown. > There are good and bad examples at the end of the next section... > > Why is this example incorrect? It works fine for existing users, but > consider what happens if a non-existent user name is given. The lookup > fails, but as no success/failure strings are given for the lookup, it > yields an empty string. Thus, to defeat the authentication, all a client > has to do is to supply a non-existent user name and an empty password." > > Your query will return no rows (empty string) for both username and > password if the user does not exist. That's probably why this combination > is allowed. > > Cheers, Chris. > -- > _ ___ __ _ > / __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK | > / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer | > \ _/_/_/_//_/___/ | We are GNU-free your mind-and your software | -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
