SquirrelMail

On 24/10/2011 12:51, Dotan Cohen wrote:
> Hi all, new Squirrelmail admin here.
>
> Running the latest Squirrelmail on CentOS 6, my valid users get the
> message "Unknown user or password incorrect." when logging in. I see
> this in the maillog:
>
>
> Oct 24 13:36:30 sharingcenterservers dovecot: auth: Error: mysql:
> Query failed, retrying: You have an error in your SQL syntax; check
> the manual that corresponds to your MySQL server version for the right
> syntax to use near '��anotherUser’' at line 1
>
Hi Dontan, the user might be placing the char ' in their user name.

For example: Garry
becomes: 'Garry'

This is quite serious if this is true as it means that SM suffers from 
and SQL Injection and your system could be hacked.
This is very unlikely as the SQ team rock..

An SQL error like this is still very serious!

Have you tried to login to SM with the username/password (I know you 
said SSH but try SM as well); if so do you get the same error.

Also try downloading the source from the website and doing a: diff -ru 
source/ current/
where source is the downloaded Source and current is your current install.
If all is OK there should only be diffs in cache and config settings.

SM Guys, is the SVN repo safe and secure?

Giz

On Mon, Oct 24, 2011 at 14:02, Garry Taylor <giz@...> wrote:
> Hi Dontan, the user might be placing the char ' in their user name.
>
> For example: Garry
> becomes: 'Garry'
>

Nice idea, but alas it is not the issue. It is myself who is typing
the username and password in, and I am certain that there is no quote
in there. I am still in the testing phase, the system is not yet
deployed.


> Also try downloading the source from the website and doing a: diff -ru
> source/ current/
> where source is the downloaded Source and current is your current install.
> If all is OK there should only be diffs in cache and config settings.
>

I downloaded the SM source from here:
http://downloads.sourceforge.net/project/squirrelmail/stable/1.4.22/squirrelmail-webmail-1.4.22.tar.gz

-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com

On 24/10/2011 15:39, Dotan Cohen wrote:
> On Mon, Oct 24, 2011 at 14:02, Garry Taylor<giz@...>  wrote:
>> Hi Dontan, the user might be placing the char ' in their user name.
>>
>> For example: Garry
>> becomes: 'Garry'
>>
> Nice idea, but alas it is not the issue. It is myself who is typing
> the username and password in, and I am certain that there is no quote
> in there. I am still in the testing phase, the system is not yet
> deployed.
>
>
>> Also try downloading the source from the website and doing a: diff -ru
>> source/ current/
>> where source is the downloaded Source and current is your current install.
>> If all is OK there should only be diffs in cache and config settings.
>>
> I downloaded the SM source from here:
> http://downloads.sourceforge.net/project/squirrelmail/stable/1.4.22/squirrelmail-webmail-1.4.22.tar.gz
>

What are you using as your mail server? For example Qmail..
are you able to auth your username and passwords using telnet or any 
mail client?

2011.10.24 15:02 Garry Taylor rašė:
> On 24/10/2011 12:51, Dotan Cohen wrote:
>> Hi all, new Squirrelmail admin here.
>>
>> Running the latest Squirrelmail on CentOS 6, my valid users get the
>> message "Unknown user or password incorrect." when logging in. I see
>> this in the maillog:
>>
>>
>> Oct 24 13:36:30 sharingcenterservers dovecot: auth: Error: mysql:
>> Query failed, retrying: You have an error in your SQL syntax; check
>> the manual that corresponds to your MySQL server version for the right
>> syntax to use near '��anotherUser’' at line 1
>>
> Hi Dontan, the user might be placing the char ' in their user name.
>
> For example: Garry
> becomes: 'Garry'
>
> This is quite serious if this is true as it means that SM suffers from
> and SQL Injection and your system could be hacked.
> This is very unlikely as the SQ team rock..
>
> An SQL error like this is still very serious!

It is not a SquirrelMail issue. If you can perform SQL injection with
custom username feeded to IMAP server, problem exists on 143 port or in
143 port service configuration.

SquirrelMail does not execute SQL queries, when it sends username to IMAP
service.

-- 
Tomas

On Mon, Oct 24, 2011 at 17:00, Garry Taylor <giz@...> wrote:
> What are you using as your mail server? For example Qmail..

Dovecot.

> are you able to auth your username and passwords using telnet or any mail
> client?
>

I'll check and get right back.

-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com

On Mon, Oct 24, 2011 at 18:55, Tomas Kuliavas
<tokul@...> wrote:
> SquirrelMail does not execute SQL queries, when it sends username to IMAP
> service.
>

I think that you are right, it is dovecot that interfaces with MySQL. Thanks.


-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com

Some how I have become the recipient of these emails. Don't know why or how.
If you could help me not get them I would greatly appreciate it.
Thanks,
Judi


> On Mon, Oct 24, 2011 at 18:55, Tomas Kuliavas
> <tokul@...> wrote:
>> SquirrelMail does not execute SQL queries, when it sends username to
>> IMAP
>> service.
>>
>
> I think that you are right, it is dovecot that interfaces with MySQL.
> Thanks.
>
>
> --
> Dotan Cohen
>
> http://gibberish.co.il
> http://what-is-what.com
>
> ------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@... Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squirrelmail-users@...
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>

On Tue, Oct 25, 2011 at 01:54,  <judi@...> wrote:
> Some how I have become the recipient of these emails. Don't know why or how.
> If you could help me not get them I would greatly appreciate it.
> Thanks,
> Judi
>
>

Hi Judi. Please click on this page and follow the instructions to
remove your email address:
https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

I know it looks spammy, but that is the standard procedure for
unsubscribing from an open-source mailing list. I assure you that we
are reputable people with no intention to spam! I would assume that
you filled out a similar form just to have gotten subscribed.


-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com