Horde IMP数据库文件SQL插入漏洞

发布时间：2003-01-08
更新时间：2003-01-15
严重程度：中
威胁程度：用户敏感信息泄露
错误类型：输入验证错误
利用方式：服务器模式

BUGTRAQ ID：6559
CVE(CAN) ID：CAN-2003-0025

受影响系统

Horde IMP 2.2
   + Horde Horde 1.2
Horde IMP 2.2.1
   + Horde Horde 1.2.1
Horde IMP 2.2.2
   + Horde Horde 1.2.2
Horde IMP 2.2.3
   + Horde Horde 1.2.3
Horde IMP 2.2.4
   + Caldera OpenLinux Server 3.1
   + Horde Horde 1.2.4
Horde IMP 2.2.5
   + Caldera OpenLinux Server 3.1
   - Conectiva Linux 5.0
   - Conectiva Linux 5.1
   - Conectiva Linux 6.0
   - Conectiva Linux 7.0
   + Horde Horde 1.2.5
Horde IMP 2.2.6
   - Conectiva Linux 5.0
   - Conectiva Linux 5.1
   - Conectiva Linux 6.0
   - Conectiva Linux 7.0
   - Debian Linux 2.2
   + Horde Horde 1.2.6
Horde IMP 2.2.7
   - Caldera OpenLinux Server 3.1
   - Caldera OpenLinux Server 3.1.1
   - Conectiva Linux 5.0
   - Conectiva Linux 5.1
   - Conectiva Linux 6.0
   - Conectiva Linux 7.0
   + Horde Horde 1.2.7
Horde IMP 2.2.8
   + Horde Horde 1.2.8

详细描述
Horde IMP是WEBMAIL系统。

Horde IMP多处不正确过滤用户提交的输入，攻击者可输入恶意SQL查询而更改原来SQL的执行逻辑。漏洞存在于PHP文件lib/db.<databasename>中，如db.pgsql，函数check_prefs：

$sql="select username from $default->db_pref_table where username='$user@$server'";

包含的用户输入字符串没有进行过滤就直接传递个SQL查询而造成可以更改数据库信息。

测试代码
$ lynx "http://webmail.server/imp/mailbox.php3?actionID=6&server=x&imapuser=x';somesql+--&pass=x"

解决方案
补丁下载：

# Of course, folks using Imp-2 with non-PostgreSQL databases will
# need to adapt the following to the appropriate db.* file

--- lib/db.pgsql.20030108 2000-12-20 15:45:33.000000000 -0500
+++ lib/db.pgsql 2003-01-08 15:18:25.000000000 -0500
@@ -26,6 +26,13 @@
function imp_add_address ($address, $nickname, $fullname, $user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $address = addslashes($address);
+ $nickname = addslashes($nickname);
+ $fullname = addslashes($fullname);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: adds $address, $nickname, $fullname to the addressbook for $user@$server
returns true on success and false on failure
*/
@@ -41,6 +48,10 @@
function imp_check_prefs ($user, $server) {
global $_imp_prefs_exist, $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
if (isset($_imp_prefs_exist)) {
return $_imp_prefs_exist;
}
@@ -59,6 +70,11 @@
function imp_delete_address ($address, $user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $address = addslashes($address);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: deletes $address from the addressbook of $user@$server
returns true on success and false on failure
*/
@@ -72,6 +88,10 @@
function imp_get_addresses ($user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: returns a 2d array of addresses where each
element is an array in which element 0 is the address,
element 1 is the nickname, and element 2 is the fullname.
@@ -92,6 +112,10 @@
function imp_get_from ($user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: returns the signature for the database key $user@$server
(a string), or false on failure.
*/
@@ -105,6 +129,10 @@
function imp_get_fullname ($user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: returns the signature for the database key $user@$server
(a string), or false on failure.
*/
@@ -118,6 +146,10 @@
function imp_get_lang ($user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: returns the signature for the database key $user@$server
(a string), or false on failure.
*/
@@ -131,6 +163,10 @@
function imp_get_signature ($user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: returns the signature for the database key $user@$server
(a string), or false on failure.
*/
@@ -144,6 +180,11 @@
function imp_set_from ($from, $user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $from = addslashes($from);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: sets the replyto to $from for the database key $user@$server
returns true on success and false on failure
*/
@@ -165,6 +206,11 @@
function imp_set_fullname ($fullname, $user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $fullname = addslashes($fullname);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: sets the fullname to $fullname for the database key $user@$server
returns true on success and false on failure
*/
@@ -186,6 +232,11 @@
function imp_set_lang ($lang, $user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $lang = addslashes($lang);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: sets the language to $lang for the database key $user@$server
returns true on success and false on failure
*/
@@ -208,6 +259,11 @@
function imp_set_signature ($signature, $user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $signature = addslashes($signature);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: sets the signature to $signature for the database key $user@$server
returns true on success and false on failure
*/
@@ -230,6 +286,14 @@
function imp_update_address ($old_address, $address, $nickname, $fullname, $user, $server) {
global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
+ $old_address = addslashes($old_address);
+ $address = addslashes($address);
+ $nickname = addslashes($nickname);
+ $fullname = addslashes($fullname);
+ $user = addslashes($user);
+ $server = addslashes($server);
+
/* post: changes the entry for $old_address to $address, $nickname, $fullname.
returns true on success and false on failure
*/

Horde IMP 2.2:

Horde Upgrade IMP 3.1
http://www.horde.org/imp/3.1/

Horde IMP 2.2.1:

Horde Upgrade IMP 3.1
http://www.horde.org/imp/3.1/

Horde IMP 2.2.2:

Horde Upgrade IMP 3.1
http://www.horde.org/imp/3.1/

Horde IMP 2.2.3:

Horde Upgrade IMP 3.1
http://www.horde.org/imp/3.1/

Horde IMP 2.2.4:

Horde Upgrade IMP 3.1
http://www.horde.org/imp/3.1/

Horde IMP 2.2.5:

Horde Upgrade IMP 3.1
http://www.horde.org/imp/3.1/

Horde IMP 2.2.6:

Horde Upgrade IMP 3.1
http://www.horde.org/imp/3.1/

Debian Upgrade imp_2.2.6-0.potato.5.2_all.deb
http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-0.potato.5.2_all.deb
Debian GNU/Linux 2.2 alias potato.

Debian Upgrade imp_2.2.6-5.2_all.deb
http://security.debian.org/pool/updates/main/i/imp/imp_2.2.6-5.2_all.deb
Debian GNU/Linux 3.0 alias woody.

Horde IMP 2.2.7:

Horde Upgrade IMP 3.1
http://www.horde.org/imp/3.1/

Horde IMP 2.2.8:

Horde Upgrade IMP 3.1
http://www.horde.org/imp/3.1/

相关信息
参考：http://online.securityfocus.com/advisories/4872
http://online.securityfocus.com/archive/1/305701
相关主页：http://www.horde.org/

最近严重漏洞

Horde IMP数据库文件SQL插入漏洞