2011.10.24 15:02 Garry Taylor rašė:
> On 24/10/2011 12:51, Dotan Cohen wrote:
>> Hi all, new Squirrelmail admin here.
>> Running the latest Squirrelmail on CentOS 6, my valid users get the
>> message "Unknown user or password incorrect." when logging in. I see
>> this in the maillog:
>> Oct 24 13:36:30 sharingcenterservers dovecot: auth: Error: mysql:
>> Query failed, retrying: You have an error in your SQL syntax; check
>> the manual that corresponds to your MySQL server version for the right
>> syntax to use near '��anotherUser’' at line 1
> Hi Dontan, the user might be placing the char ' in their user name.
> For example: Garry
> becomes: 'Garry'
> This is quite serious if this is true as it means that SM suffers from
> and SQL Injection and your system could be hacked.
> This is very unlikely as the SQ team rock..
> An SQL error like this is still very serious!
It is not a SquirrelMail issue. If you can perform SQL injection with
custom username feeded to IMAP server, problem exists on 143 port or in
143 port service configuration.
SquirrelMail does not execute SQL queries, when it sends username to IMAP