[SM-USERS] Bad SQL query from Squirrelmail
Hi all, new Squirrelmail admin here. Running the latest Squirrelmail on CentOS 6, my valid users get the message "Unknown user or password incorrect." when logging in. I see this in the maillog: Oct 24 13:36:18 sharingcenterservers dovecot: auth: Error: mysql: Query failed, retrying: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��someUser’' at line 1 Oct 24 13:36:18 sharingcenterservers dovecot: auth: Error: sql(beer,127.0.0.1): Password query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��someUser’' at line 1 Oct 24 13:36:20 sharingcenterservers dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured Oct 24 13:36:30 sharingcenterservers dovecot: auth: Error: mysql: Query failed, retrying: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��anotherUser’' at line 1 Oct 24 13:36:30 sharingcenterservers dovecot: auth: Error: sql(gadi,127.0.0.1): Password query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��anotherUser’' at line 1 Oct 24 13:36:32 sharingcenterservers dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured Note that someUser and anotherUser are both valid usernames on the system. The username and the password are identical (someUser:someUser and anotherUser:anotherUser). I can successfully log into ssh with these usernames. What could be the issue? Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Bad SQL query from Squirrelmail
On 24/10/2011 12:51, Dotan Cohen wrote: Hi all, new Squirrelmail admin here. Running the latest Squirrelmail on CentOS 6, my valid users get the message "Unknown user or password incorrect." when logging in. I see this in the maillog: Oct 24 13:36:30 sharingcenterservers dovecot: auth: Error: mysql: Query failed, retrying: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��anotherUser’' at line 1 Hi Dontan, the user might be placing the char ' in their user name. For example: Garry becomes: 'Garry' This is quite serious if this is true as it means that SM suffers from and SQL Injection and your system could be hacked. This is very unlikely as the SQ team rock.. An SQL error like this is still very serious! Have you tried to login to SM with the username/password (I know you said SSH but try SM as well); if so do you get the same error. Also try downloading the source from the website and doing a: diff -ru source/ current/ where source is the downloaded Source and current is your current install. If all is OK there should only be diffs in cache and config settings. SM Guys, is the SVN repo safe and secure? Giz -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Bad SQL query from Squirrelmail
On Mon, Oct 24, 2011 at 14:02, Garry Taylor wrote: > Hi Dontan, the user might be placing the char ' in their user name. > > For example: Garry > becomes: 'Garry' > Nice idea, but alas it is not the issue. It is myself who is typing the username and password in, and I am certain that there is no quote in there. I am still in the testing phase, the system is not yet deployed. > Also try downloading the source from the website and doing a: diff -ru > source/ current/ > where source is the downloaded Source and current is your current install. > If all is OK there should only be diffs in cache and config settings. > I downloaded the SM source from here: http://downloads.sourceforge.net/project/squirrelmail/stable/1.4.22/squirrelmail-webmail-1.4.22.tar.gz -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Bad SQL query from Squirrelmail
On 24/10/2011 15:39, Dotan Cohen wrote: On Mon, Oct 24, 2011 at 14:02, Garry Taylor wrote: Hi Dontan, the user might be placing the char ' in their user name. For example: Garry becomes: 'Garry' Nice idea, but alas it is not the issue. It is myself who is typing the username and password in, and I am certain that there is no quote in there. I am still in the testing phase, the system is not yet deployed. Also try downloading the source from the website and doing a: diff -ru source/ current/ where source is the downloaded Source and current is your current install. If all is OK there should only be diffs in cache and config settings. I downloaded the SM source from here: http://downloads.sourceforge.net/project/squirrelmail/stable/1.4.22/squirrelmail-webmail-1.4.22.tar.gz What are you using as your mail server? For example Qmail.. are you able to auth your username and passwords using telnet or any mail client? -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Bad SQL query from Squirrelmail
2011.10.24 15:02 Garry Taylor rašė: > On 24/10/2011 12:51, Dotan Cohen wrote: >> Hi all, new Squirrelmail admin here. >> >> Running the latest Squirrelmail on CentOS 6, my valid users get the >> message "Unknown user or password incorrect." when logging in. I see >> this in the maillog: >> >> >> Oct 24 13:36:30 sharingcenterservers dovecot: auth: Error: mysql: >> Query failed, retrying: You have an error in your SQL syntax; check >> the manual that corresponds to your MySQL server version for the right >> syntax to use near '��anotherUser’' at line 1 >> > Hi Dontan, the user might be placing the char ' in their user name. > > For example: Garry > becomes: 'Garry' > > This is quite serious if this is true as it means that SM suffers from > and SQL Injection and your system could be hacked. > This is very unlikely as the SQ team rock.. > > An SQL error like this is still very serious! It is not a SquirrelMail issue. If you can perform SQL injection with custom username feeded to IMAP server, problem exists on 143 port or in 143 port service configuration. SquirrelMail does not execute SQL queries, when it sends username to IMAP service. -- Tomas -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Bad SQL query from Squirrelmail
On Mon, Oct 24, 2011 at 17:00, Garry Taylor wrote: > What are you using as your mail server? For example Qmail.. Dovecot. > are you able to auth your username and passwords using telnet or any mail > client? > I'll check and get right back. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Bad SQL query from Squirrelmail
On Mon, Oct 24, 2011 at 18:55, Tomas Kuliavas wrote: > SquirrelMail does not execute SQL queries, when it sends username to IMAP > service. > I think that you are right, it is dovecot that interfaces with MySQL. Thanks. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Re: [SM-USERS] Bad SQL query from Squirrelmail
Some how I have become the recipient of these emails. Don't know why or how. If you could help me not get them I would greatly appreciate it. Thanks, Judi > On Mon, Oct 24, 2011 at 18:55, Tomas Kuliavas > wrote: >> SquirrelMail does not execute SQL queries, when it sends username to >> IMAP >> service. >> > > I think that you are right, it is dovecot that interfaces with MySQL. > Thanks. > > > -- > Dotan Cohen > > http://gibberish.co.il > http://what-is-what.com > > -- > The demand for IT networking professionals continues to grow, and the > demand for specialized networking skills is growing even more rapidly. > Take a complimentary Learning@Cisco Self-Assessment and learn > about Cisco certifications, training, and career opportunities. > http://p.sf.net/sfu/cisco-dev2dev > - > squirrelmail-users mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squirrelmail-users@lists.sourceforge.net > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user > List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev - squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
