Please fix this SQL INJECTION CRITICAL ISSUE

[rcubetrac]

Reported by AmilaDG on 21 Jan 2010 05:59 UTC as Trac ticket #1486444

Once i type my user name and type my password to login it is ok. done. with no errors. But the problem starting while i trying to MYSQL INJECTION. I type my user name and i type my password as[or 1=1;--**[BR]
it shows this[good thing IMAP server reject it. But Please Note This Is Really Critical Issue. Please Fix It.[BR]AmilaDG (Webmaster www.talk.lk)

Migrated-From: http://trac.roundcube.net/ticket/1486444

[rcubetrac]

Comment by @alecpl on 21 Jan 2010 07:49 UTC

And where is the issue? Are you using any plugins for login?

[rcubetrac]

Status changed by @alecpl on 21 Jan 2010 07:49 UTC

new => closed

[rcubetrac]

Comment by AmilaDG on 21 Jan 2010 08:03 UTC

Replying to alec:

And where is the issue? Are you using any plugins for login?
I don't use any plugins. Just styled login page. when i type wrong password it shows "Login faild" right?, but i type some mysql inject code like 1 or 1=1;-- it shows "Connection to IMAP server faild". That means roundcube databases can access using mysql injections. But IMAP server cannot. This is very critical situation.[[BR]]
Regards

[rcubetrac]

Comment by @alecpl on 21 Jan 2010 08:06 UTC

I'm unable to reproduce using svn-trunk version nor with some old pre 0.3. I have always "Login faild". So, we need more info about your environment/config.

[rcubetrac]

Comment by @alecpl on 21 Jan 2010 08:17 UTC

Password is not used in any SQL query. You can see this when you enable sql_debug option.

[rcubetrac]

Comment by @alecpl on 21 Jan 2010 08:25 UTC

Please enable imap_debug and attach logs/imap file here. We'll see what returns your IMAP server on login. I leave this ticket closed, because it's not an issue.