kolab-setup: MySQL injection on roundcube password: ERROR at line 1: Unknown command '\S'.
Open, Needs TriagePublic


$ rpm -qv pykolab 

This is a fresh CentOS 7 install from

Running sudo setup-kolab from the command line via SSH after switching SELinux to permissive mode as in T978: SELinux **MUST** not be enforcing

My password manager generated the following password:


It seems that a single quote and backslash-S cause SQL injection when setting up MySQL account for the roundcube user:

Timezone ID [UTC]: 

Please supply a password for the MySQL user 'roundcube'. This password will be
used by the Roundcube webmail interface.

MySQL roundcube password [EaGO_pF-dZ-Iors]: 
Confirm MySQL roundcube password: 
ERROR at line 1: Unknown command '\S'.


Ticket Type

Event Timeline

saper created this task.Sep 25 2019, 5:18 PM
saper added projects: PyKolab, Maipo.
saper added a comment.Sep 25 2019, 5:29 PM

This also produces a broken configuration file:

$config['db_dsnw'] = 'mysqli://roundcube:+~+G`.1CH}F6B^fwsYxIH'\Sz@localhost/roundcube'
$ sudo php -l /usr/share/roundcubemail/config/
PHP Parse error:  syntax error, unexpected '\' (T_NS_SEPARATOR) in /usr/share/roundcubemail/config/ on line 4
Errors parsing /usr/share/roundcubemail/config/
This comment was removed by vanmeeuwen.
pasik added a subscriber: pasik.Apr 3 2020, 5:56 PM
This comment was removed by sicherha-admin.