Horde IMP数据库文件SQL注入漏洞

漏洞信息详情

Horde IMP数据库文件SQL注入漏洞

• CNNVD编号：CNNVD-200301-020
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2003-0025
  
• 漏洞类型：
  
  
  输入验证
  
• 发布时间：
  
  2003-01-17
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-10-20
  
• 厂        商：
  
  horde
• 漏洞来源：
  Jouko Pynnonen※ jo…

IMP是一款基于Web的强大的邮件程序，它由Horde项目组开发。可使用在Linux/Unix或者Microsoft Windows操作系统下。
Horde IMP没有充分过滤用户提交传递给SQL查询的输入，远程攻击者可以利用这个漏洞进行SQL注入攻击，可能破坏数据库或获得数据库信息等其他恶意活动。
漏洞存在于数据库文件lib/db.＜databasename＞中的部分数据库函数，如db.pgsql中的check_prefs：
$sql=\”select username from $default-＞db_pref_table where username=\’\’$user@$server\’\’\”;
在没有任何输入检查的情况下，直接把用户提交的数据传递给SQL查询，攻击者提交精心构建的恶意URI请求，可修改，破坏数据库内容，或进行其他非法活动。

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* 未测试，第三方针对PostgreSQL的IMP 2.X补丁如下：

# Of course, folks using Imp-2 with non-PostgreSQL databases will

# need to adapt the following to the appropriate db.* file

— lib/db.pgsql.20030108 2000-12-20 15:45:33.000000000 -0500

+++ lib/db.pgsql 2003-01-08 15:18:25.000000000 -0500

@@ -26,6 +26,13 @@

function imp_add_address ($address, $nickname, $fullname, $user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $address = addslashes($address);

+ $nickname = addslashes($nickname);

+ $fullname = addslashes($fullname);

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: adds $address, $nickname, $fullname to the addressbook for $user@$server

returns true on success and false on failure

*/

@@ -41,6 +48,10 @@

function imp_check_prefs ($user, $server) {

global $_imp_prefs_exist, $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $user = addslashes($user);

+ $server = addslashes($server);

+

if (isset($_imp_prefs_exist)) {

return $_imp_prefs_exist;

}

@@ -59,6 +70,11 @@

function imp_delete_address ($address, $user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $address = addslashes($address);

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: deletes $address from the addressbook of $user@$server

returns true on success and false on failure

*/

@@ -72,6 +88,10 @@

function imp_get_addresses ($user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: returns a 2d array of addresses where each

element is an array in which element 0 is the address,

element 1 is the nickname, and element 2 is the fullname.

@@ -92,6 +112,10 @@

function imp_get_from ($user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: returns the signature for the database key $user@$server

(a string), or false on failure.

*/

@@ -105,6 +129,10 @@

function imp_get_fullname ($user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: returns the signature for the database key $user@$server

(a string), or false on failure.

*/

@@ -118,6 +146,10 @@

function imp_get_lang ($user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: returns the signature for the database key $user@$server

(a string), or false on failure.

*/

@@ -131,6 +163,10 @@

function imp_get_signature ($user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: returns the signature for the database key $user@$server

(a string), or false on failure.

*/

@@ -144,6 +180,11 @@

function imp_set_from ($from, $user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $from = addslashes($from);

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: sets the replyto to $from for the database key $user@$server

returns true on success and false on failure

*/

@@ -165,6 +206,11 @@

function imp_set_fullname ($fullname, $user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $fullname = addslashes($fullname);

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: sets the fullname to $fullname for the database key $user@$server

returns true on success and false on failure

*/

@@ -186,6 +232,11 @@

function imp_set_lang ($lang, $user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $lang = addslashes($lang);

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: sets the language to $lang for the database key $user@$server

returns true on success and false on failure

*/

@@ -208,6 +259,11 @@

function imp_set_signature ($signature, $user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $signature = addslashes($signature);

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: sets the signature to $signature for the database key $user@$server

returns true on success and false on failure

*/

@@ -230,6 +286,14 @@

function imp_update_address ($old_address, $address, $nickname, $fullname, $user, $server) {

global $default;

+ /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */

+ $old_address = addslashes($old_address);

+ $address = addslashes($address);

+ $nickname = addslashes($nickname);

+ $fullname = addslashes($fullname);

+ $user = addslashes($user);

+ $server = addslashes($server);

+

/* post: changes the entry for $old_address to $address, $nickname, $fullname.

returns true on success and false on failure

*/
厂商补丁：
Horde
—–
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

Horde Upgrade IMP 3.1

http://www.horde.org/imp/3.1/” target=”_blank”>
http://www.horde.org/imp/3.1/

来源: DEBIAN
名称: DSA-229
链接:http://www.debian.org/security/2003/dsa-229

来源: BUGTRAQ
名称: 20030108 IMP 2.x SQL injection vulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104204786206563&w=2

来源: SECTRACK
名称: 1005904
链接:http://www.securitytracker.com/id?1005904

来源: BID
名称: 6559
链接:http://www.securityfocus.com/bid/6559

来源: BUGTRAQ
名称: 20030108 Re: IMP 2.x SQL injection vulnerabilities
链接:http://www.securityfocus.com/archive/1/306268

来源: SECUNIA
名称: 8177
链接:http://secunia.com/advisories/8177

来源: SECUNIA
名称: 8087
链接:http://secunia.com/advisories/8087