similar to: Dovecot's MySQL authentication driver

Hello list. I'm thinking to migrate the hole user db from system users to mysql. I already did it in a test environment, but something is annoying my OCD... I don't quote the variables username and password sent to the mysql server. I know, the mysql user that dovecot uses only has select rights, but it stills bother me, because its possible to do an useless sql code injection. Is there a

Hi All, I am using Dovecot 1.0.13 with Vpopmail (Qmail Toaster current) backed by MySQL with one table per domain (--disable-many-domains) . What I cannot figure out is how to have Dovecot authenticate to Vpopmail when Vpopmail uses one table per domain. Basically I need dynamic SQL in the Dovecot-sql.conf file. Currently I have: password_query = select pw_clear_passwd as password from

Hi, on my way home today I thought a little bit about my setup which involves user and password lookups in an SQL database (Postgres). I asked myself whether I need to do anything to prevent SQL injection via forged user or domainnames. In the wiki I didn't find anything specific, only http://wiki.dovecot.org/Variables which mentions that there is the %E modifier which escapes single quites

> Am 02.02.2015 um 18:07 schrieb Juan Bernhard: >> Hello list. I'm thinking to migrate the hole user db from system users >> to mysql. I already did it in a test environment, but something is >> annoying my OCD... I don't quote the variables username and password >> sent to the mysql server. I know, the mysql user that dovecot uses only >> has select

Hi, I've done some supplementary tests with tcpdump. Apparently, with a login containing the % character, there's no query send to MySQL. Do you know if the % character is filtered by dovecot ? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://dovecot.org/pipermail/dovecot/attachments/20050112/03106298/attachment-0002.html>

On Thu, Mar 24, 2016 at 9:08 AM, Always Learning <centos at u64.u22.net> wrote: >> I can't stress enough, mysql-5.0 on el5 is absolutely not updated >> security wise. > > Thanks. Reading it now. Just to be clear: you absolutely should upgrade to a currently maintained version of MySQL. However, upgrading will not protect you from SQL injection attacks. The probes

I started my app before migrations were a best practice and have been using SQL scripts. Now I''m looking at potentially having to move from using MySQL to postgreSQL to use a particular hosting provider. I understand migrations are the way to go to make this ''easy'' but it also looks like the use of migrations introduces extra work in other areas. I''d really

Valeri Galtsev wrote: > On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >> readline 5.1 <snip>> > Indeed. There are several flaws in how mysql handles data. This is why to Ok, do you have a link or two to info about that? > the best of my ability I am trying to avoid mysql, and use

mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using readline 5.1 I spotted something strange and immediately installed a routine to automatically impose an iptables block when the key used for database access is excessively long. My URL was something like this ...../...../.....php?key=123456 The injection was something like this

On 04/25/2018 01:02 PM, Mikulas Patocka wrote: > > > From: Mikulas Patocka <mpatocka at redhat.com> > Subject: [PATCH v4] fault-injection: introduce kvmalloc fallback options > > This patch introduces a fault-injection option "kvmalloc_fallback". This > option makes kvmalloc randomly fall back to vmalloc. > > Unfortunatelly, some kernel code has bugs

On 04/25/2018 01:02 PM, Mikulas Patocka wrote: > > > From: Mikulas Patocka <mpatocka at redhat.com> > Subject: [PATCH v4] fault-injection: introduce kvmalloc fallback options > > This patch introduces a fault-injection option "kvmalloc_fallback". This > option makes kvmalloc randomly fall back to vmalloc. > > Unfortunatelly, some kernel code has bugs

On Tue 24-04-18 13:28:49, Mikulas Patocka wrote: > > > On Tue, 24 Apr 2018, Michal Hocko wrote: > > > On Tue 24-04-18 13:00:11, Mikulas Patocka wrote: > > > > > > > > > On Tue, 24 Apr 2018, Michal Hocko wrote: > > > > > > > On Tue 24-04-18 11:50:30, Mikulas Patocka wrote: > > > > > > > > > >

Hi, I use a OpenLDAP for authentication. To authenticate a full DN as the user name must be used, like "cn=jim,ou=users,dc=example,dc=com". There are several domains, like example2.com and example3.com. I want to use Dovecot with ldap and authentication binds. For testing I use "auth_bind_userdn = cn=%n,ou=users,dc=%d" and the user name must provide as "jim at

Howdy - For most of my dovecot servers, they are small and I just use unix accounts. However I am going to be running a new server for more general users, webmail (probably roundcube but I'm hacking roundcube quite a bit, enough that I'm calling it squarepeg instead so users familiar with roundcube will know it is quite different) and it will use MariaDB for account management. I

HI guys, I just came through an example on code of the place I work for that said something like this could be vulnerable to sql injection attacks: scope :with_name, lambda { |name| where("LOWER(name) LIKE ?", name.downcase) } I wonder if this is true. My thought is that rails should escape this and that anything that tried to do something different would fail on the translation

Valeri Galtsev wrote: > > On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote: >> Valeri Galtsev wrote: >>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >>>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >>>> readline 5.1 >> <snip>> >>> Indeed. There are several flaws in how mysql handles

Hi everyone, Some Intel processors have a newly disclosed vulnerability named Load Value Injection. One pager on Load Value Injection: https://software.intel.com/security-software-guidance/software-guidance/load-value-injection Deep dive on Load Value Injection: https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection I wrote this compiler pass that can

Patch 2/2 - Add flag to indicate that an exception event needs injecting, and to delay the ext interrupt injection. Remove unnecessary check of RFLAGS.IF for ExtInt injection. Applies cleanly to xen-unstable c/s 11831. Please apply to xen-unstable.hg. We would also want this patch to be in a 3.0.3-1 base whenever that is branched. Signed-off-by: Travis Betak <travis.betak@amd.com>

Recently my network was scanned. Various services was scanned, and checking the logs of mail server the following string draw my attention: mail dovecot: pop3-login: Disconnected: user=<ttejmgpfip>, method=PLAIN, rip=87.228.15.180, lip=x.x.x.x This looks weird to me, because pop3-login: Disconnected looks like succesful login attempt to me. I have no such user named ttejmgpfip exits ofc.

Hi, I'm receiving the following messages in my mail logs that I haven't seen before: Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): Username character disallowed by auth_username_chars: 0x13 (username: AB?) Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21): Username character disallowed by auth_username_chars: 0x13 (username: AB?) There's