Page MenuHomekolab.org
Create Task
Maniphest T5608

kolab-setup: MySQL injection on roundcube password: ERROR at line 1: Unknown command '\S'.
Open, Needs TriagePublic
Actions

Description

$ rpm -qv pykolab 
pykolab-0.8.15-2.1.el7.kolab_16.noarch

This is a fresh CentOS 7 install from http://ftp.rrzn.uni-hannover.de/centos/7.7.1908/isos/x86_64/CentOS-7-x86_64-Minimal-1908.iso

Running sudo setup-kolab from the command line via SSH after switching SELinux to permissive mode as in T978: SELinux **MUST** not be enforcing

My password manager generated the following password:

+~+G`.1CH}F6B^fwsYxIH'\Sz

It seems that a single quote and backslash-S cause SQL injection when setting up MySQL account for the roundcube user:

Timezone ID [UTC]: 

Please supply a password for the MySQL user 'roundcube'. This password will be
used by the Roundcube webmail interface.

MySQL roundcube password [EaGO_pF-dZ-Iors]: 
Confirm MySQL roundcube password: 
ERROR at line 1: Unknown command '\S'.
Details
Ticket Type 
Task 
Related Objects
Event Timeline
saper created this task.Sep 25 2019, 5:18 PM
saper added projects: PyKolab, Maipo.
saper added a comment.Sep 25 2019, 5:29 PM
This also produces a broken configuration file:



$config['db_dsnw'] = 'mysqli://roundcube:+~+G`.1CH}F6B^fwsYxIH'\Sz@localhost/roundcube'





$ sudo php -l /usr/share/roundcubemail/config/config.inc.php
PHP Parse error:  syntax error, unexpected '\' (T_NS_SEPARATOR) in /usr/share/roundcubemail/config/config.inc.php on line 4
Errors parsing /usr/share/roundcubemail/config/config.inc.php
 KolkataEscortss added a subscriber:  KolkataEscortss.Sep 29 2019, 8:03 AM
This comment was removed by vanmeeuwen.
pasik added a subscriber: pasik.Apr 3 2020, 5:56 PM
 kara added a subscriber:  kara.Aug 25 2020, 3:01 PM
This comment was removed by sicherha-admin.