Page MenuHomePhorge

kolab-setup: MySQL injection on roundcube password: ERROR at line 1: Unknown command '\S'.
Open, NormalPublic

Description

$ rpm -qv pykolab 
pykolab-0.8.15-2.1.el7.kolab_16.noarch

This is a fresh CentOS 7 install from http://ftp.rrzn.uni-hannover.de/centos/7.7.1908/isos/x86_64/CentOS-7-x86_64-Minimal-1908.iso

Running sudo setup-kolab from the command line via SSH after switching SELinux to permissive mode as in T978: SELinux **MUST** not be enforcing

My password manager generated the following password:

+~+G`.1CH}F6B^fwsYxIH'\Sz

It seems that a single quote and backslash-S cause SQL injection when setting up MySQL account for the roundcube user:

Timezone ID [UTC]: 

Please supply a password for the MySQL user 'roundcube'. This password will be
used by the Roundcube webmail interface.

MySQL roundcube password [EaGO_pF-dZ-Iors]: 
Confirm MySQL roundcube password: 
ERROR at line 1: Unknown command '\S'.

Details

Ticket Type
Task

Event Timeline

This also produces a broken configuration file:

$config['db_dsnw'] = 'mysqli://roundcube:+~+G`.1CH}F6B^fwsYxIH'\Sz@localhost/roundcube'
$ sudo php -l /usr/share/roundcubemail/config/config.inc.php
PHP Parse error:  syntax error, unexpected '\' (T_NS_SEPARATOR) in /usr/share/roundcubemail/config/config.inc.php on line 4
Errors parsing /usr/share/roundcubemail/config/config.inc.php
machniak lowered the priority of this task from Needs Triage to Normal.Sep 27 2023, 10:13 AM
machniak subscribed.

This specific issue may be fixed with:

--- a/pykolab/setup/setup_roundcube.py
+++ b/pykolab/setup/setup_roundcube.py
@@ -26,10 +26,11 @@ import hashlib
 import os
 import random
 import re
+import six
 import subprocess
 import sys
 import time
-import six
+import urllib.parse
 
 from Cheetah.Template import Template
 
@@ -95,7 +96,7 @@ def execute(*args, **kw):
         'ldap_user_base_dn': conf.get('ldap', 'user_base_dn'),
         'ldap_user_filter': conf.get('ldap', 'user_filter'),
         'primary_domain': conf.get('kolab', 'primary_domain'),
-        'mysql_uri': 'mysqli://roundcube:%s@localhost/roundcube' % (mysql_roundcube_password),
+        'mysql_uri': 'mysqli://roundcube:%s@localhost/roundcube' % (urllib.parse.quote(mysql_roundcube_password)),
         'conf': conf
     }

However, there are other places where a single-quote or backslash in a password will cause issues. So, it is not a complete solution.