Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: sb5923.htm

IMP SQL injection vulnerabilities



9th Jan 2003 [SBWID-5923]
COMMAND

	IMP SQL injection vulnerabilities

SYSTEMS AFFECTED

	IMP 2.x, Versions up to and including 2.2.8 seem vulnerable.

PROBLEM

	Jouko Pynnönen [jouko@solutions.fi] says :
	
	IMP is a popular webmail package written in  PHP.  It  ships  with  some
	UNIX systems and is also used on Windows servers. The version 2  of  the
	program contains some SQL injection flaws which allow  any  remote  user
	to access the webmail system's database. Valid  user  authentication  is
	not required in order to exploit the flaws.
	
	The error  happens  in  some  database  functions  in  PHP  files  named
	lib/db.<databasename>.   An   example   from    db.pgsql,    function
	check_prefs:
	
	  $sql="select username from $default->db_pref_table where username='$user@$server'";
	
	Including user-supplied strings directly in an SQL query is  a  mistake.
	The fix is to use something like the addslashes() PHP function.
	
	As a proof of concept:
	
	$ lynx "http://webmail.server/imp/mailbox.php3?actionID=6&server=x&imapuser=x';somesql+--&pass=x"
	
	IMP would try to execute "somesql" and the result would be this kind  of
	PHP error (presuming  the  PHP  configuration  allows  displaying  error
	messages on web pages):
	
	   Warning:  PostgreSQL  query  failed:  ERROR:  parser: parse error at or near "somesql" in
	   /usr/share/horde/imp/lib/db.pgsql on line 127
	
	Even though SQL query results aren't directly readable from  the  screen
	in the above example,  the  attacker  might  e.g.  update  his/her  mail
	signature to contain wanted query  results  and  then  view  it  on  the
	preferences page of IMP. This  requires  a  valid  login,  but  isn't  a
	problem for an attacker because IMP allows the use of  any  remote  IMAP
	server. Use of the server_list option  doesn't  affect  this  behaviour;
	the attacker-controlled IMAP server may be still passed to  mailbox.php3
	in the URL.
	
	The impact of SQL injection depends heavily on the  underlying  database
	and its configuration. If PostgreSQL is used, it's possible  to  execute
	multiple complete SQL queries  separated  by  semicolons.  The  database
	contains session id's so the attacker might hijack  sessions  of  people
	currently logged in and read their mail.  In  the  worst  case,  if  the
	hordemgr user has the required privilege to use  the  COPY  SQL  command
	(found in PostgreSQL at least), a remote user may read or write  to  any
	file the database user (postgres) can. The attacker may then be able  to
	run arbitrary shell commands by writing  them  to  the  postgres  user's
	~/.psqlrc; they'd be run when the user starts  the  psql  command  which
	under some configurations happens regularly from a cron script.
	
	If other database servers are used, the exploitation  possibilities  may
	be more limited.
	
	The vendor has been informed about this bug last month.  Although  there
	hasn't been any direct reply, there was a comment on  this  on  the  IMP
	mailing list: "2.2.x is  officially  deprecated/unsupported.  This  does
	not apply to 3.x.".

SOLUTION

	Version 3 isn't affected so upgrading to IMP  3  is  recommended.  This,
	and more information about IMP is available at
	
	 http://horde.org/imp/
	
	
	 Update (12 January 2003)
	 ======
	
	IMP v2 patch, thanks to Sylvain Robitaille [syl@alcor.concordia.ca] :
	
	
	# Of course, folks using Imp-2 with non-PostgreSQL databases will
	# need to adapt the following to the appropriate db.* file
	
	--- lib/db.pgsql.20030108       2000-12-20 15:45:33.000000000 -0500
	+++ lib/db.pgsql 2003-01-08 15:18:25.000000000 -0500
	@@ -26,6 +26,13 @@
	 function imp_add_address ($address, $nickname, $fullname, $user, $server) {
	        global $default;
	
	+        /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+        $address  = addslashes($address);
	+        $nickname = addslashes($nickname);
	+        $fullname = addslashes($fullname);
	+        $user     = addslashes($user);
	+        $server   = addslashes($server);
	+
	        /* post: adds $address, $nickname, $fullname to the addressbook for $user@$server
	           returns true on success and false on failure
	     */
	@@ -41,6 +48,10 @@
	 function imp_check_prefs ($user, $server) {
	        global $_imp_prefs_exist, $default;
	
	+        /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+        $user     = addslashes($user);
	+        $server   = addslashes($server);
	+
	        if (isset($_imp_prefs_exist)) {
	                return $_imp_prefs_exist;
	        }
	@@ -59,6 +70,11 @@
	 function imp_delete_address ($address, $user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $address  = addslashes($address);
	+   $user     = addslashes($user);
	+   $server   = addslashes($server);
	+
	    /* post: deletes $address from the addressbook of $user@$server
	     returns true on success and false on failure
	     */
	@@ -72,6 +88,10 @@
	 function imp_get_addresses ($user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $user     = addslashes($user);
	+   $server   = addslashes($server);
	+
	    /* post: returns a 2d array of addresses where each
	     element is an array in which element 0 is the address,
	     element 1 is the nickname, and element 2 is the fullname.
	@@ -92,6 +112,10 @@
	 function imp_get_from ($user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $user     = addslashes($user);
	+   $server   = addslashes($server);
	+
	    /* post: returns the signature for the database key $user@$server
	     (a string), or false on failure.
	     */
	@@ -105,6 +129,10 @@
	 function imp_get_fullname ($user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $user     = addslashes($user);
	+   $server   = addslashes($server);
	+
	    /* post: returns the signature for the database key $user@$server
	     (a string), or false on failure.
	     */
	@@ -118,6 +146,10 @@
	 function imp_get_lang ($user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $user     = addslashes($user);
	+   $server   = addslashes($server);
	+
	    /* post: returns the signature for the database key $user@$server
	     (a string), or false on failure.
	     */
	@@ -131,6 +163,10 @@
	 function imp_get_signature ($user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $user     = addslashes($user);
	+   $server   = addslashes($server);
	+
	    /* post: returns the signature for the database key $user@$server
	     (a string), or false on failure.
	     */
	@@ -144,6 +180,11 @@
	 function imp_set_from ($from, $user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $from     = addslashes($from);
	+   $user     = addslashes($user);
	+   $server   = addslashes($server);
	+
	    /* post: sets the replyto to $from for the database key $user@$server
	     returns true on success and false on failure
	     */
	@@ -165,6 +206,11 @@
	 function imp_set_fullname ($fullname, $user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $fullname = addslashes($fullname);
	+   $user     = addslashes($user);
	+   $server   = addslashes($server);
	+
	    /* post: sets the fullname to $fullname for the database key $user@$server
	     returns true on success and false on failure
	     */
	@@ -186,6 +232,11 @@
	 function imp_set_lang ($lang, $user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $lang     = addslashes($lang);
	+   $user     = addslashes($user);
	+   $server   = addslashes($server);
	+
	    /* post: sets the language to $lang for the database key $user@$server
	     returns true on success and false on failure
	     */
	@@ -208,6 +259,11 @@
	 function imp_set_signature ($signature, $user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $signature = addslashes($signature);
	+   $user      = addslashes($user);
	+   $server    = addslashes($server);
	+
	    /* post: sets the signature to $signature for the database key $user@$server
	     returns true on success and false on failure
	     */
	@@ -230,6 +286,14 @@
	 function imp_update_address ($old_address, $address, $nickname, $fullname, $user, $server) {
	    global $default;
	
	+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
	+   $old_address = addslashes($old_address);
	+   $address     = addslashes($address);
	+   $nickname    = addslashes($nickname);
	+   $fullname    = addslashes($fullname);
	+   $user        = addslashes($user);
	+   $server      = addslashes($server);
	+
	    /* post: changes the entry for $old_address to $address, $nickname, $fullname.
	     returns true on success and false on failure
	     */
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH