Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Luki Rustianto (lukikaret.org)
Date: Mon May 28 2001 - 09:00:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I can't find the person who really in charge on developing twig, so I
    mail about this bug to the person who announce new version of twig
    about two month ago.

    Subject: Unquoted SQL query => potential damage
    Software package: TWIG Webmail
    Software Site: http://twig.screwdriver.net
    Version tested: 2.6.2 and below (used with MySQL, didn't check others)
    Platform: Platform independent with PHP
    Result: Any user with valid email account can delete or change
                          other user's data on mysql database.
    Proof Of Concept: Attached

    Problem Description:
    Unquoted SQL query string is a little mistake that could lead to potential
    TWIG free PHP Webmail system is affected. As we know, mysql accept unquoted
    query string if the field type is int, mediumint, tinyint or like.

    The query:
    DELETE FROM mytable WHERE id='1' AND owner='karet'
    have the same effect with:
    DELETE FROM mytable WHERE id=1 AND owner='karet'

    However additional caution must be made if variable 'id' values on above
    example is a user suplied data thus could make that user to have control
    over sql query and made a modified version of query like:

    DELETE FROM mytable WHERE id=1 OR id=2 OR id=3 AND owner='karet'
                                  (modified value)

    the modified query string above, ofcourse, have diferent meanings :)
    value of "$id=1" is changed to "$id=1 OR id=2 OR id=3".

    Doing 'grep -r "WHERE id=" <TWIG installation dir>/lib/*' will output
    LOT of intresting informations of which function has query string
    match our need - this may varies depend on TWIG version you have.

    Some of them:

    $query = "UPDATE " . $dbconfig["groups_table"] . " SET groupname='" .
             $newname . "' WHERE id=" . $groupid;
    [... lots other]

    $query = "DELETE FROM " . $dbconfig["schedule_table"] . " WHERE id = " .
             $data["id"] . " AND (" . $groupquery . ")";
    [... lots other]

    ... and other files.

    Or if you really want to clearly see and debug every query made by TWIG
    then with help of query system on TWIG it can be done easilly :)
    TWIG has a function named 'dbQuery' that always called on every
    sql query request.

    (if used with mysql it's on <twig dir>/lib/db/mysql.db.inc.php3)
    Add the following code at the top of Function dbQuery( $statement )
    to be like (with TWIG 2.6.2):

    $fp = fopen ("/tmp/twig_sql.log", "a");
    fwrite ($fp, $statement);

    so every sql request string will be appended to file "/tmp/twig_sql.log".
    From that file you can see every action performed and audit it.

    just simply add a proper quoted sign "'" to query string that using
    int,mediumint, tinyint and so like field type as WHERE clause.
    If the $id values on example above lied between a quoted sign then the query
    will looks like:

    DELETE FROM mytable WHERE id='1 OR id=2 OR id=3' AND owner='karet'

    which will output no result at all ... (on normal operation we can not
    inject own quote "'" sign as PHP will filter and change it to "\'")

    NB: thx to echo for let me test it (also for the beers ;p).

    jenggo <lukikaret.org>

    • TEXT/plain attachment: text