Error: mysqli_query Incorrect string value
Hi,
I don't know how this is handled internally in ispconfig and I'm not a ispconfig developer, but I'm worried about if this bug could be possibly used for an sql-injection attack? - This is why I post this bug as critical.
Recently I got 4 similar mails to my admin account including parts of the mail.log and following error message, I guess ispconfig sent them to me. It happened on version 3.0.5.4p2 / Debian Wheezy, but I can't reproduce it because I don't know how it happened in the first place.
It looks like ispconfig failed parsing mail.log at some point because of maybe some unexpected characters in the message-id. Some UTF-8 strings somehow found its way into the message-id, I don't know yet how this happened, maybe the sender of the mail had this in his setup. But ispconfig should handle this case and not fail with this type of error.
Can an attacker manipulate this message-id in a way that a sql-injection is possible?
I don't want to post the whole mail-body, because it contains some sensitive data from my mail.log.
The mail-body looked like this (I replaced IPs, my hostnames and domains with example.com/examplehost and posted only relevant lines):
####mail-body-start####################################################################################### 05.01.2015-03:50 - WARNING - DB::query(REPLACE INTO monitor_data (server_id, type, created, data, state) VALUES (1, 'log_messages', UNIX_TIMESTAMP(), 's:14730:"Jan 5 04:44:46 ....\n Jan 5 04:44:47 examplehost postfix/cleanup[20328]: 49DEF78233E: message-id=<AC413-91496755-56732589-2015.01.05-12.44.36-mailbox#example.com@????-PC>\n ... Jan 5 04:44:47 examplehost amavis[18961]: (18961-16) Passed SPAMMY {RelayedTaggedInbound}, [1.2.3.4]:24266 [1.2.3.4] mailboxtcg@ibuythings.com -> mailbox@example.com, Queue-ID: 2231A78233D, Message-ID: <AC413-91496755-56732589-2015.01.05-12.44.36-mailbox#example.com@\302\260\303\205\302\270\302\262-PC>, mail_id: OtxOcSTnSQU7, Hits: 15.973, size: 2191, queued_as: 49DEF78233E, 867 ms\n ... Jan 5 04:44:47 examplehost dovecot: lda(info@example.com): sieve: msgid=<AC413-91496755-56732589-2015.01.05-12.44.36-mailbox#example.com@???-PC>: stored mail into mailbox 'INBOX'\n ... ";', 'no_state')) -> mysqli_query Incorrect string value: '\xC5?-PC>...' for column 'data' at row 1 ####mail-body-end#########################################################################################
The error is: "mysqli_query Incorrect string value: '\xC5?-PC>...' for column 'data' at row 1" So it looks like the SQL-REPLACE failed because of the UTF-8 string '\xC5?-PC>...'