SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (E-mail Server)  >   Horde Internet Messaging Program (IMP) Vendors:   Horde Project
Horde IMP Mail Server Input Validation Holes May Let Remote Users Execute Commands on the Underlying Database Server
SecurityTracker Alert ID:  1005904
SecurityTracker URL:  http://securitytracker.com/id/1005904
CVE Reference:   CVE-2003-0025   (Links to External Site)
Updated:  Jun 13 2008
Original Entry Date:  Jan 9 2003
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 2.2.8 and prior versions
Description:   A vulnerability was reported in the Horde Internet Messaging Program (IMP). A remote user can inject SQL commands to be executed by the underlying database.

It is reported that the flaw resides in some of the database functions named lib/db.<databasename>. A remote user can submit specially crafted URLs that include SQL commands that will be executed by IMP's underlying database. A demonstration exploit URL is provided:

"http://webmail.server/imp/mailbox.php3?actionID=6&server=x&imapuser=x';somesql+--&pass=x"

According to the report, the SQL query results are not displayed directly.

Impact:   Depending on the SQL database configuration, a remote user may be able to execute complete SQL queries on the database and read from or write to the database.
Solution:   The vendor reportedly has indicated that the 2.2.x versions are not supported but that the vulnerability does not apply to the 3.x versions.

The updated version is available at:

http://horde.org/imp/

Vendor URL:  www.horde.org/imp/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(SuSE Issues Fix) Horde IMP Mail Server Input Validation Holes May Let Remote Users Execute Commands on the Underlying Database Server   (Thomas Biege <thomas@suse.de>)
SuSE has released a fix.



 Source Message Contents

Date:  Wed, 8 Jan 2003 19:34:16 +0200 (EET)
Subject:  IMP 2.x SQL injection vulnerabilities




IMP is a popular webmail package written in PHP. It ships with some UNIX 
systems and is also used on Windows servers. The version 2 of the program 
contains some SQL injection flaws which allow any remote user to access 
the webmail system's database. Valid user authentication is not required 
in order to exploit the flaws.

The error happens in some database functions in PHP files named 
lib/db.<databasename>. An example from db.pgsql, function check_prefs:

  $sql="select username from $default->db_pref_table where username='$user@$server'";

Including user-supplied strings directly in an SQL query is a mistake. 
The fix is to use something like the addslashes() PHP function.

As a proof of concept:

$ lynx "http://webmail.server/imp/mailbox.php3?actionID=6&server=x&imapuser=x';somesql+--&pass=x"

IMP would try to execute "somesql" and the result would be this kind 
of PHP error (presuming the PHP configuration allows displaying error 
messages on web pages):

   Warning:  PostgreSQL  query  failed:  ERROR:  parser: parse error at or near "somesql" in
   /usr/share/horde/imp/lib/db.pgsql on line 127

Even though SQL query results aren't directly readable from the screen 
in the above example, the attacker might e.g. update his/her mail 
signature to contain wanted query results and then view it on the 
preferences page of IMP. This requires a valid login, but isn't a 
problem for an attacker because IMP allows the use of any remote IMAP 
server. Use of the server_list option doesn't affect this behaviour; the 
attacker-controlled IMAP server may be still passed to mailbox.php3 in the 
URL.

The impact of SQL injection depends heavily on the underlying database 
and its configuration. If PostgreSQL is used, it's possible to execute 
multiple complete SQL queries separated by semicolons. The database 
contains session id's so the attacker might hijack sessions of people 
currently logged in and read their mail. In the worst case, if the 
hordemgr user has the required privilege to use the COPY SQL command 
(found in PostgreSQL at least), a remote user may read or write to any 
file the database user (postgres) can. The attacker may then be able to 
run arbitrary shell commands by writing them to the postgres user's 
~/.psqlrc; they'd be run when the user starts the psql command which 
under some configurations happens regularly from a cron script.

If other database servers are used, the exploitation possibilities may 
be more limited.

The vendor has been informed about this bug last month. Although there 
hasn't been any direct reply, there was a comment on this on the IMP 
mailing list: "2.2.x is officially deprecated/unsupported. This does not 
apply to 3.x.".

Versions up to and including 2.2.8 seem vulnerable. According to the 
author, version 3 isn't affected so upgrading to IMP 3 is recommended. 
This, and more information about IMP is available at http://horde.org/imp/.



  Jouko Pynnönen
  jouko@solutions.fi


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC