Hi!
>>>>> "Aaron" == Aaron Newsome <aaron.d.newsome@stripped> writes:
Aaron> Download available at:
Aaron> http://earth.alsland.com/anewsome/pwcheck_mysql-0.1.tar.gz
Aaron> $Id: README,v 1.2 1999/06/14 14:57:57 anewsome Exp $
Aaron> pwcheck_mysql is a an authentication module for the Cyrus IMAP server. It
Aaron> allows IMAP mail users to be authenticated against a MySQL database. This
Aaron> is nice because it allows you to have IMAP mail users without having
Aaron> regular UNIX accounts. There are proba bly many caveats to using this
Aaron> module including:
Aaron> o Passwords will show up in the MySQL log if you have logging on your
Aaron> MySQL server, this is the default. Although this module is designed to
Aaron> encrypt passwords as they are stored in the database, they can still be
Aaron> seen in plain text in the SQL logs this is due to the fact that I am using
Aaron> password () in my SQL statement, a MySQL specific function. If anyone
Aaron> knows how to encrypt the password before doing the "select" statement,
Aaron> that would be great. I think it has something to do with the scramble()
Aaron> function in $mysql_src/client/password.c, maybe one of you experts out
Aaron> there can tell me. If this security hole bothers you, you could either run
Aaron> your MySQL server without logging or symlink your log to /dev/null, which
Aaron> is what I do and it's a little more flexible for me but of course YMMV. I
Aaron> also believe that the mysql.log file is chmod 600, so how big of an issue
Aaron> could this really be.
Instead of using:
sprintf(qbuf,QUERY_STRING,DB_UIDCOL,DB_TABLE,DB_UIDCOL,userid,DB_PWCOL,password);
Where password is inserted into "password('%s')"
Use:
char crypted_pw[65];
make_scrambled_password(crypted_pw,password);
and insert crypted_pw with '%s' instead of 'password('%s')'
Regards,
Monty
