2011.10.24 15:02 Garry Taylor rašė: > On 24/10/2011 12:51, Dotan Cohen wrote: >> Hi all, new Squirrelmail admin here. >> >> Running the latest Squirrelmail on CentOS 6, my valid users get the >> message "Unknown user or password incorrect." when logging in. I see >> this in the maillog: >> >> >> Oct 24 13:36:30 sharingcenterservers dovecot: auth: Error: mysql: >> Query failed, retrying: You have an error in your SQL syntax; check >> the manual that corresponds to your MySQL server version for the right >> syntax to use near '��anotherUser’' at line 1 >> > Hi Dontan, the user might be placing the char ' in their user name. > > For example: Garry > becomes: 'Garry' > > This is quite serious if this is true as it means that SM suffers from > and SQL Injection and your system could be hacked. > This is very unlikely as the SQ team rock.. > > An SQL error like this is still very serious! It is not a SquirrelMail issue. If you can perform SQL injection with custom username feeded to IMAP server, problem exists on 143 port or in 143 port service configuration. SquirrelMail does not execute SQL queries, when it sends username to IMAP service. -- Tomas ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
