[Dovecot] Dovecot's MySQL authentication driver
Hi, I'm wonderig if dovecot have any mechanism which prevent sql injection? I didn't find anything about that. How can I escape inputs in sql query?
Best regards.
Hi,
I'm using a specific SQL user for dovecot and postfix, and this user only has SELECT rights to the database. Works well.
Regards,
Thierry
On Wed, 15 Nov 2006 14:55:17 +0100 (CET), guard wrote:
Hi, I'm wonderig if dovecot have any mechanism which prevent sql injection? I didn't find anything about that. How can I escape inputs in sql query?
Best regards.
I've taken this even further: I have separate 'users' for postfix, postfixadmin (web frontend for virtual users/domains) and dovecot. Each *might* need specific rights.
Egbert Jan
-----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of Thierry de Montaudry Sent: Wednesday, November 15, 2006 8:42 PM To: dovecot@dovecot.org; guard Subject: Re: [Dovecot] Dovecot's MySQL authentication driver
Hi,
I'm using a specific SQL user for dovecot and postfix, and this user only has SELECT rights to the database. Works well.
Regards,
Thierry
On Wed, 15 Nov 2006 14:55:17 +0100 (CET), guard wrote:
Hi, I'm wonderig if dovecot have any mechanism which prevent sql injection? I didn't find anything about that. How can I escape inputs in sql query?
Best regards.
Egbert Jan wrote:
I've taken this even further: I have separate 'users' for postfix, postfixadmin (web frontend for virtual users/domains) and dovecot. Each *might* need specific rights.
Using restricted user rights and chroots and what not does not prevent SQL injection in any way.
Robin
On Thu, 16 Nov 2006, Robin Elfrink wrote:
Egbert Jan wrote:
I've taken this even further: I have separate 'users' for postfix, postfixadmin (web frontend for virtual users/domains) and dovecot. Each *might* need specific rights.
Using restricted user rights and chroots and what not does not prevent SQL injection in any way.
Indeed.
But until auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ is set, and default_pass_scheme won't be PLAIN we are secure against sql injection. Right?
I have also found %E varible - escape '"', "'" and '\' characters by inserting '\' before them, but how can I use it for escape characters from %u?
Best Regards.
On Thu, 2006-11-16 at 09:41 +0100, guard wrote:
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ is set, and default_pass_scheme won't be PLAIN we are secure against sql injection. Right?
Right.
I have also found %E varible - escape '"', "'" and '\' characters by inserting '\' before them, but how can I use it for escape characters from %u?
Don't. All the %vars are properly escaped when used in pass_query and user_query. I'm not sure what happens if you use %E, at best it just adds extra '\' and at worst it would cause SQL injection hole possibilities.
They're also escaped properly in LDAP queries.
If Dovecot didn't do these, it really shouldn't deserve to be advertised as "Secure IMAP server" :P
participants (7)
-
Egbert Jan
-
guard
-
Jakob Hirsch
-
Luca Corti
-
Robin Elfrink
-
Thierry de Montaudry
-
Timo Sirainen