CVE-2003-0025
CVSS7.5
发布时间 :2003-01-17 00:00:00
修订时间 :2016-10-17 22:28:30
NMCOS    

[原文]Multiple SQL injection vulnerabilities in IMP 2.2.8 and earlier allow remote attackers to perform unauthorized database activities and possibly gain privileges via certain database functions such as check_prefs() in db.pgsql, as demonstrated using mailbox.php3.


[CNNVD]Horde IMP数据库文件SQL注入漏洞(CNNVD-200301-020)

        
        IMP是一款基于Web的强大的邮件程序,它由Horde项目组开发。可使用在Linux/Unix或者Microsoft Windows操作系统下。
        Horde IMP没有充分过滤用户提交传递给SQL查询的输入,远程攻击者可以利用这个漏洞进行SQL注入攻击,可能破坏数据库或获得数据库信息等其他恶意活动。
        漏洞存在于数据库文件lib/db.中的部分数据库函数,如db.pgsql中的check_prefs:
         $sql="select username from $default->db_pref_table where username='$user@$server'";
        在没有任何输入检查的情况下,直接把用户提交的数据传递给SQL查询,攻击者提交精心构建的恶意URI请求,可修改,破坏数据库内容,或进行其他非法活动。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:horde:imp:2.2Horde IMP 2.2
cpe:/a:horde:imp:2.2.8Horde IMP 2.2.8
cpe:/a:horde:imp:2.2.5Horde IMP 2.2.5
cpe:/a:horde:imp:2.2.4Horde IMP 2.2.4
cpe:/a:horde:imp:2.2.7Horde IMP 2.2.7
cpe:/a:horde:imp:2.2.6Horde IMP 2.2.6
cpe:/a:horde:imp:2.2.1Horde IMP 2.2.1
cpe:/a:horde:imp:2.2.3Horde IMP 2.2.3
cpe:/a:horde:imp:2.2.2Horde IMP 2.2.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0025
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0025
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200301-020
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=104204786206563&w=2
(UNKNOWN)  BUGTRAQ  20030108 IMP 2.x SQL injection vulnerabilities
http://www.debian.org/security/2003/dsa-229
(VENDOR_ADVISORY)  DEBIAN  DSA-229
http://www.securityfocus.com/archive/1/306268
(UNKNOWN)  BUGTRAQ  20030108 Re: IMP 2.x SQL injection vulnerabilities
http://www.securityfocus.com/bid/6559
(UNKNOWN)  BID  6559
http://www.securitytracker.com/id?1005904
(UNKNOWN)  SECTRACK  1005904

- 漏洞信息

Horde IMP数据库文件SQL注入漏洞
高危 输入验证
2003-01-17 00:00:00 2005-10-20 00:00:00
远程  
        
        IMP是一款基于Web的强大的邮件程序,它由Horde项目组开发。可使用在Linux/Unix或者Microsoft Windows操作系统下。
        Horde IMP没有充分过滤用户提交传递给SQL查询的输入,远程攻击者可以利用这个漏洞进行SQL注入攻击,可能破坏数据库或获得数据库信息等其他恶意活动。
        漏洞存在于数据库文件lib/db.中的部分数据库函数,如db.pgsql中的check_prefs:
         $sql="select username from $default->db_pref_table where username='$user@$server'";
        在没有任何输入检查的情况下,直接把用户提交的数据传递给SQL查询,攻击者提交精心构建的恶意URI请求,可修改,破坏数据库内容,或进行其他非法活动。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 未测试,第三方针对PostgreSQL的IMP 2.X补丁如下:
        # Of course, folks using Imp-2 with non-PostgreSQL databases will
        # need to adapt the following to the appropriate db.* file
        --- lib/db.pgsql.20030108 2000-12-20 15:45:33.000000000 -0500
        +++ lib/db.pgsql 2003-01-08 15:18:25.000000000 -0500
        @@ -26,6 +26,13 @@
        function imp_add_address ($address, $nickname, $fullname, $user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $address = addslashes($address);
        + $nickname = addslashes($nickname);
        + $fullname = addslashes($fullname);
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: adds $address, $nickname, $fullname to the addressbook for $user@$server
        returns true on success and false on failure
        */
        @@ -41,6 +48,10 @@
        function imp_check_prefs ($user, $server) {
        global $_imp_prefs_exist, $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        if (isset($_imp_prefs_exist)) {
        return $_imp_prefs_exist;
        }
        @@ -59,6 +70,11 @@
        function imp_delete_address ($address, $user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $address = addslashes($address);
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: deletes $address from the addressbook of $user@$server
        returns true on success and false on failure
        */
        @@ -72,6 +88,10 @@
        function imp_get_addresses ($user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: returns a 2d array of addresses where each
        element is an array in which element 0 is the address,
        element 1 is the nickname, and element 2 is the fullname.
        @@ -92,6 +112,10 @@
        function imp_get_from ($user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: returns the signature for the database key $user@$server
        (a string), or false on failure.
        */
        @@ -105,6 +129,10 @@
        function imp_get_fullname ($user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: returns the signature for the database key $user@$server
        (a string), or false on failure.
        */
        @@ -118,6 +146,10 @@
        function imp_get_lang ($user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: returns the signature for the database key $user@$server
        (a string), or false on failure.
        */
        @@ -131,6 +163,10 @@
        function imp_get_signature ($user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: returns the signature for the database key $user@$server
        (a string), or false on failure.
        */
        @@ -144,6 +180,11 @@
        function imp_set_from ($from, $user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $from = addslashes($from);
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: sets the replyto to $from for the database key $user@$server
        returns true on success and false on failure
        */
        @@ -165,6 +206,11 @@
        function imp_set_fullname ($fullname, $user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $fullname = addslashes($fullname);
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: sets the fullname to $fullname for the database key $user@$server
        returns true on success and false on failure
        */
        @@ -186,6 +232,11 @@
        function imp_set_lang ($lang, $user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $lang = addslashes($lang);
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: sets the language to $lang for the database key $user@$server
        returns true on success and false on failure
        */
        @@ -208,6 +259,11 @@
        function imp_set_signature ($signature, $user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $signature = addslashes($signature);
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: sets the signature to $signature for the database key $user@$server
        returns true on success and false on failure
        */
        @@ -230,6 +286,14 @@
        function imp_update_address ($old_address, $address, $nickname, $fullname, $user, $server) {
        global $default;
        + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
        + $old_address = addslashes($old_address);
        + $address = addslashes($address);
        + $nickname = addslashes($nickname);
        + $fullname = addslashes($fullname);
        + $user = addslashes($user);
        + $server = addslashes($server);
        +
        /* post: changes the entry for $old_address to $address, $nickname, $fullname.
        returns true on success and false on failure
        */
        厂商补丁:
        Horde
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Horde Upgrade IMP 3.1
        
        http://www.horde.org/imp/3.1/

- 漏洞信息

10105
Horde IMP mailbox.php3 Multiple Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

- 时间线

2003-01-08 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Horde IMP Database Files SQL Injection Vulnerabilities
Input Validation Error 6559
Yes No
2003-01-08 12:00:00 2009-07-11 07:17:00
Discovery of this issue is credited to Jouko Pynnonen <jouko@solutions.fi>.

- 受影响的程序版本

Horde Project IMP 2.2.8
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Horde Project Horde 1.2.8
Horde Project IMP 2.2.7
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Server 3.1
- Conectiva Linux 7.0
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
+ Horde Project Horde 1.2.7
Horde Project IMP 2.2.6
- Conectiva Linux 7.0
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Debian Linux 2.2
+ Horde Project Horde 1.2.6
Horde Project IMP 2.2.5
+ Caldera OpenLinux Server 3.1
- Conectiva Linux 7.0
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
+ Horde Project Horde 1.2.5
Horde Project IMP 2.2.4
+ Caldera OpenLinux Server 3.1
+ Horde Project Horde 1.2.4
Horde Project IMP 2.2.3
+ Horde Project Horde 1.2.3
Horde Project IMP 2.2.2
+ Horde Project Horde 1.2.2
Horde Project IMP 2.2.1
+ Horde Project Horde 1.2.1
Horde Project IMP 2.2
+ Horde Project Horde 1.2
Horde Project Horde 1.2.8
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
Horde Project Horde 1.2.7
- Conectiva Linux 7.0
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
Horde Project Horde 1.2.6
Horde Project Horde 1.2.5
Horde Project Horde 1.2.4
Horde Project Horde 1.2.3
Horde Project Horde 1.2.2
Horde Project Horde 1.2.1
Horde Project Horde 1.2
Horde Project IMP 3.1
Horde Project IMP 3.0

- 不受影响的程序版本

Horde Project IMP 3.1
Horde Project IMP 3.0

- 漏洞讨论

It has been reported that Imp is prone to multiple SQL injection vulnerabilities.

IMP, in some cases, does not sufficiently sanitize user-supplied input which is passed to SQL queries. As a result, it is possible to manipulate SQL queries. This may allow a remote attacker to modify query logic or potentially corrupt the database. Consequences will vary depending on the queries used and the capabilities of the underlying database implementation.

These issues occur throughout the database command files for different database implementations, for example 'lib/db.pgsql'.

SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.

- 漏洞利用

There is no exploit code required.

- 解决方案

Debian released an advisory (DSA 229-1) containing incorrect fixes. Debian followed up with a revision (DSA 229-2) which contains the correct fixes.

This issue reportedly does not exist in Horde IMP versions 3.0 and later. Horde IMP 2.2 is no longer being actively developed. Users are advised to upgrade.

Conectiva has released advisory CLA-2003:690 with fixes to address this issue.


Horde Project IMP 2.2

Horde Project IMP 2.2.1

Horde Project IMP 2.2.2

Horde Project IMP 2.2.3

Horde Project IMP 2.2.4

Horde Project IMP 2.2.5

Horde Project IMP 2.2.6

Horde Project IMP 2.2.7

Horde Project IMP 2.2.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站