Page MenuHomekolab.org

kolab-setup: MySQL injection on roundcube password: ERROR at line 1: Unknown command '\S'.
Open, Needs TriagePublic

Description

$ rpm -qv pykolab 
pykolab-0.8.15-2.1.el7.kolab_16.noarch

This is a fresh CentOS 7 install from http://ftp.rrzn.uni-hannover.de/centos/7.7.1908/isos/x86_64/CentOS-7-x86_64-Minimal-1908.iso

Running sudo setup-kolab from the command line via SSH after switching SELinux to permissive mode as in T978: SELinux **MUST** not be enforcing

My password manager generated the following password:

+~+G`.1CH}F6B^fwsYxIH'\Sz

It seems that a single quote and backslash-S cause SQL injection when setting up MySQL account for the roundcube user:

Timezone ID [UTC]: 

Please supply a password for the MySQL user 'roundcube'. This password will be
used by the Roundcube webmail interface.

MySQL roundcube password [EaGO_pF-dZ-Iors]: 
Confirm MySQL roundcube password: 
ERROR at line 1: Unknown command '\S'.

Details

Ticket Type
Task

Event Timeline

saper created this task.Sep 25 2019, 5:18 PM
saper added projects: PyKolab, Maipo.
saper added a comment.Sep 25 2019, 5:29 PM

This also produces a broken configuration file:

$config['db_dsnw'] = 'mysqli://roundcube:+~+G`.1CH}F6B^fwsYxIH'\Sz@localhost/roundcube'
$ sudo php -l /usr/share/roundcubemail/config/config.inc.php
PHP Parse error:  syntax error, unexpected '\' (T_NS_SEPARATOR) in /usr/share/roundcubemail/config/config.inc.php on line 4
Errors parsing /usr/share/roundcubemail/config/config.inc.php
This comment was removed by vanmeeuwen.