[Secure-testing-team] Bug#485424: courier-authlib: possible sql injection
Steffen Joeris
steffen.joeris at skolelinux.de
Mon Jun 9 12:39:00 UTC 2008
Package: courier-authlib
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
It was announced that courier-authlib suffers from a sql injection
vulnerability with MySQL databases that use non-Latin character
sets.
For more information see this link[0]. There is also a follow-up here[1].
A CVE id is already requested and will be added to this bugreport, once
it is available.
The patch is attached, please review and consider including it.
Cheers
Steffen
[0]: http://marc.info/?l=courier-users&m=121293814822605&w=2
[1]: http://marc.info/?l=courier-users&m=121294465330832
-------------- next part --------------
--- courier-authlib-0.60.1.orig/authmysqllib.c
+++ courier-authlib-0.60.1/authmysqllib.c
@@ -110,6 +110,43 @@
static MYSQL *mysql=0;
+static void set_session_options(void)
+/*
+* session variables can be set once for the whole session
+*/
+{
+/* Anton Dobkin <anton at viansib.ru>, VIAN, Ltd. */
+#if MYSQL_VERSION_ID >= 41000
+ const char *character_set=read_env("MYSQL_CHARACTER_SET"), *check;
+
+ if(character_set){
+
+ /*
+ * This function works like the SET NAMES statement, but also sets
+ * the value of mysql->charset, and thus affects the character set
+ * used by mysql_real_escape_string()
+ *
+ * (return value apparently work the opposite of what is documented)
+ */
+ mysql_set_character_set(mysql, character_set);
+ check = mysql_character_set_name(mysql);
+ if (strcmp(character_set, check) != 0)
+ {
+ err("Cannot set MySQL character set \"%s\", working with \"%s\"\n",
+ character_set, check);
+ }
+ else
+ {
+ DPRINTF("Install of a character set for MySQL: %s", character_set);
+ }
+ }
+#endif /* 41000 */
+}
+
+
+
+
+
static int do_connect()
{
const char *server;
@@ -236,6 +273,17 @@
mysql=0;
return (-1);
}
+
+ DPRINTF("authmysqllib: connected. Versions: "
+ "header %lu, "
+ "client %lu, "
+ "server %lu",
+ (long)MYSQL_VERSION_ID,
+ mysql_get_client_version(),
+ mysql_get_server_version(mysql));
+
+ set_session_options();
+
return (0);
}
@@ -779,42 +827,6 @@
}
}
-/* Anton Dobkin <anton at viansib.ru>, VIAN, Ltd. */
-#if MYSQL_VERSION_ID >= 41000
- const char *character_set=read_env("MYSQL_CHARACTER_SET");
-
- if(character_set){
-
- char *character_set_buf;
-
- character_set_buf=malloc(strlen(character_set)+11);
-
- if (!character_set_buf)
- {
- perror("malloc");
- return (0);
- }
-
- strcpy(character_set_buf, "SET NAMES ");
- strcat(character_set_buf, character_set);
-
- DPRINTF("Install of a character set for MySQL. SQL query: SET NAMES %s", character_set);
-
- if(mysql_query (mysql, character_set_buf))
- {
- err("Install of a character set for MySQL is failed: %s MYSQL_CHARACTER_SET: may be invalid character set", mysql_error(mysql));
- auth_mysql_cleanup();
-
- if (do_connect())
- {
- free(character_set_buf);
- return (0);
- }
- }
-
- free(character_set_buf);
- }
-#endif
DPRINTF("SQL query: %s", querybuf);
if (mysql_query (mysql, querybuf))
More information about the Secure-testing-team
mailing list