9th Jan 2003 [SBWID-5923]
COMMAND
IMP SQL injection vulnerabilities
SYSTEMS AFFECTED
IMP 2.x, Versions up to and including 2.2.8 seem vulnerable.
PROBLEM
Jouko Pynnönen [jouko@solutions.fi] says :
IMP is a popular webmail package written in PHP. It ships with some
UNIX systems and is also used on Windows servers. The version 2 of the
program contains some SQL injection flaws which allow any remote user
to access the webmail system's database. Valid user authentication is
not required in order to exploit the flaws.
The error happens in some database functions in PHP files named
lib/db.<databasename>. An example from db.pgsql, function
check_prefs:
$sql="select username from $default->db_pref_table where username='$user@$server'";
Including user-supplied strings directly in an SQL query is a mistake.
The fix is to use something like the addslashes() PHP function.
As a proof of concept:
$ lynx "http://webmail.server/imp/mailbox.php3?actionID=6&server=x&imapuser=x';somesql+--&pass=x"
IMP would try to execute "somesql" and the result would be this kind of
PHP error (presuming the PHP configuration allows displaying error
messages on web pages):
Warning: PostgreSQL query failed: ERROR: parser: parse error at or near "somesql" in
/usr/share/horde/imp/lib/db.pgsql on line 127
Even though SQL query results aren't directly readable from the screen
in the above example, the attacker might e.g. update his/her mail
signature to contain wanted query results and then view it on the
preferences page of IMP. This requires a valid login, but isn't a
problem for an attacker because IMP allows the use of any remote IMAP
server. Use of the server_list option doesn't affect this behaviour;
the attacker-controlled IMAP server may be still passed to mailbox.php3
in the URL.
The impact of SQL injection depends heavily on the underlying database
and its configuration. If PostgreSQL is used, it's possible to execute
multiple complete SQL queries separated by semicolons. The database
contains session id's so the attacker might hijack sessions of people
currently logged in and read their mail. In the worst case, if the
hordemgr user has the required privilege to use the COPY SQL command
(found in PostgreSQL at least), a remote user may read or write to any
file the database user (postgres) can. The attacker may then be able to
run arbitrary shell commands by writing them to the postgres user's
~/.psqlrc; they'd be run when the user starts the psql command which
under some configurations happens regularly from a cron script.
If other database servers are used, the exploitation possibilities may
be more limited.
The vendor has been informed about this bug last month. Although there
hasn't been any direct reply, there was a comment on this on the IMP
mailing list: "2.2.x is officially deprecated/unsupported. This does
not apply to 3.x.".
SOLUTION
Version 3 isn't affected so upgrading to IMP 3 is recommended. This,
and more information about IMP is available at
http://horde.org/imp/
Update (12 January 2003)
======
IMP v2 patch, thanks to Sylvain Robitaille [syl@alcor.concordia.ca] :
# Of course, folks using Imp-2 with non-PostgreSQL databases will
# need to adapt the following to the appropriate db.* file
--- lib/db.pgsql.20030108 2000-12-20 15:45:33.000000000 -0500
+++ lib/db.pgsql 2003-01-08 15:18:25.000000000 -0500
@@ -26,6 +26,13 @@
function imp_add_address ($address, $nickname, $fullname, $user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $address = addslashes($address);
+ $nickname = addslashes($nickname);
+ $fullname = addslashes($fullname);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: adds $address, $nickname, $fullname to the addressbook for $user@$server
returns true on success and false on failure
*/
@@ -41,6 +48,10 @@
function imp_check_prefs ($user, $server) {
global $_imp_prefs_exist, $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
if (isset($_imp_prefs_exist)) {
return $_imp_prefs_exist;
}
@@ -59,6 +70,11 @@
function imp_delete_address ($address, $user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $address = addslashes($address);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: deletes $address from the addressbook of $user@$server
returns true on success and false on failure
*/
@@ -72,6 +88,10 @@
function imp_get_addresses ($user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: returns a 2d array of addresses where each
element is an array in which element 0 is the address,
element 1 is the nickname, and element 2 is the fullname.
@@ -92,6 +112,10 @@
function imp_get_from ($user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: returns the signature for the database key $user@$server
(a string), or false on failure.
*/
@@ -105,6 +129,10 @@
function imp_get_fullname ($user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: returns the signature for the database key $user@$server
(a string), or false on failure.
*/
@@ -118,6 +146,10 @@
function imp_get_lang ($user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: returns the signature for the database key $user@$server
(a string), or false on failure.
*/
@@ -131,6 +163,10 @@
function imp_get_signature ($user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: returns the signature for the database key $user@$server
(a string), or false on failure.
*/
@@ -144,6 +180,11 @@
function imp_set_from ($from, $user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $from = addslashes($from);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: sets the replyto to $from for the database key $user@$server
returns true on success and false on failure
*/
@@ -165,6 +206,11 @@
function imp_set_fullname ($fullname, $user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $fullname = addslashes($fullname);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: sets the fullname to $fullname for the database key $user@$server
returns true on success and false on failure
*/
@@ -186,6 +232,11 @@
function imp_set_lang ($lang, $user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $lang = addslashes($lang);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: sets the language to $lang for the database key $user@$server
returns true on success and false on failure
*/
@@ -208,6 +259,11 @@
function imp_set_signature ($signature, $user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $signature = addslashes($signature);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: sets the signature to $signature for the database key $user@$server
returns true on success and false on failure
*/
@@ -230,6 +286,14 @@
function imp_update_address ($old_address, $address, $nickname, $fullname, $user, $server) {
global $default;
+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $old_address = addslashes($old_address);
+ $address = addslashes($address);
+ $nickname = addslashes($nickname);
+ $fullname = addslashes($fullname);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: changes the entry for $old_address to $address, $nickname, $fullname.
returns true on success and false on failure
*/
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
