List:General Discussion« Previous MessageNext Message »
From:Michael Widenius Date:June 28 1999 7:14pm
Subject:ANNOUNCE: pwcheck_mysql-0.1
View as plain text  
Hi!

>>>>> "Aaron" == Aaron Newsome <aaron.d.newsome@stripped> writes:

Aaron> Download available at:
Aaron> 	http://earth.alsland.com/anewsome/pwcheck_mysql-0.1.tar.gz


Aaron> $Id: README,v 1.2 1999/06/14 14:57:57 anewsome Exp $

Aaron> pwcheck_mysql is a an authentication module for the Cyrus IMAP server. It
Aaron> allows IMAP mail users to be authenticated against a MySQL database. This
Aaron> is nice because it allows you to have IMAP mail users without having
Aaron> regular UNIX accounts. There are proba bly many caveats to using this
Aaron> module including: 

Aaron> o Passwords will show up in the MySQL log if you have logging on your
Aaron> MySQL server, this is the default. Although this module is designed to
Aaron> encrypt passwords as they are stored in the database, they can still be
Aaron> seen in plain text in the SQL logs this is due to the fact that I am using
Aaron> password () in my SQL statement, a MySQL specific function. If anyone
Aaron> knows how to encrypt the password before doing the "select" statement,
Aaron> that would be great. I think it has something to do with the scramble() 
Aaron> function in $mysql_src/client/password.c, maybe one of you experts out
Aaron> there can tell me. If this security hole bothers you, you could either run
Aaron> your MySQL server without logging or symlink your log to /dev/null, which
Aaron> is what I do and it's a little more flexible for me but of course YMMV. I
Aaron> also believe that the mysql.log file is chmod 600, so how big of an issue
Aaron> could this really be. 

Instead of using:

 sprintf(qbuf,QUERY_STRING,DB_UIDCOL,DB_TABLE,DB_UIDCOL,userid,DB_PWCOL,password);

Where password is inserted into "password('%s')"

Use:

   char crypted_pw[65];
   make_scrambled_password(crypted_pw,password);

   and insert crypted_pw with '%s' instead of 'password('%s')'

Regards,
Monty
Thread
ANNOUNCE: pwcheck_mysql-0.1Aaron Newsome18 Jun
  • ANNOUNCE: pwcheck_mysql-0.1Michael Widenius28 Jun
  • Re: ANNOUNCE: pwcheck_mysql-0.1Aaron Newsome28 Jun