1 (edited by Rudigern 2017-09-22 06:55:52)

Topic: Error due to apostrophe in email address

==== Required information ====
- iRedMail version: 0.9.5-1
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend: PGSQL
- Web server: Apache
====

Hi,

I came across this log in my DB:

ERROR: syntax error at or near "xxxx" at character xxx
date time IP(number):vmail@vmail:[4243]:STATEMENT: SELECT accesspolicy, goto, moderators
FROM alias
WHERE
address='xxxxxxxx'
AND islist=1
AND active=1
LIMIT 1

The email has an apostrophe in it because of the surname. I'm not sure what this query would do however it looks like a potential injection attack?

This persons email isn't in my managed email list so I don't know why it would be being called up.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Error due to apostrophe in email address

Dot is legal character in email address.

3

Re: Error due to apostrophe in email address

ZhangHuangbin wrote:

Dot is legal character in email address.

I'm not too sure what you mean, apostrophe ( ' ) is a legal character in an email and it's causing an SQL error, which looks like it good be an injection vector. I wasn't referring to a dot in the error.

4

Re: Error due to apostrophe in email address

About "apostrophe", do you mean single quote?
I will check this later.

5

Re: Error due to apostrophe in email address

ZhangHuangbin wrote:

About "apostrophe", do you mean single quote?
I will check this later.

Yes, so bob.o'rourke@email.com

6

Re: Error due to apostrophe in email address

Fixed moment ago:
https://bitbucket.org/zhb/iredapd/commi … 15ce7c358d