[dev] Fwd: Re: IMP 2.x SQL injection vulnerabilities

Ronnie Garcia ronnie at mk2.net
Mon Jan 13 11:10:06 PST 2003 

Still from bugtraq

>From: Sylvain Robitaille <syl at alcor.concordia.ca>
>To: bugtraq at securityfocus.com
>Subject: Re: IMP 2.x SQL injection vulnerabilities
>
>On Wed, 8 Jan 2003, Jouko Pynnonen informed us that:
>
> > The vendor has been informed about this bug last month. Although there
> > hasn't been any direct reply, there was a comment on this on the IMP
> > mailing list: "2.2.x is officially deprecated/unsupported. This does not
> > apply to 3.x.".
> >
> > Versions up to and including 2.2.8 seem vulnerable. According to the
> > author, version 3 isn't affected so upgrading to IMP 3 is recommended.
> > This, and more information about IMP is available at http://horde.org/imp/.
>
>What many software developpers (including, but apparently not limitted
>to, many commercial software vendors) seem to fail to realize is that
>some sites use their applications in production environments, with (in
>my case tens of thousands of) real users and upgrading to the latest
>version which includes numerous changes above and beyond the fix for the
>reported bug is often difficult in the best of cases.
>
>In the case of Imp-2 -> Imp-3, the changes are much too significant for
>some of us to simply switch versions and hope our user community doesn't
>notice.  It's a lot easier for us to patch-in-place to deal with the bug
>itself, and leave the upgrade to new features (and new bugs!) to be done
>in a more coordinated fashion, with time for users to evaluate the new
>interface, etc.
>
>That being said, and thanks to the information in Jouko's advisory,
>I've patched our own Imp installation (which has now had so many patches
>applied I should start giving it local version numbers!) according to
>the appended.  I hope others will be able to make use of this patch,
>and I especially hope that if I've overlooked something, others will
>point it out...
>
>--
>----------------------------------------------------------------------
>Sylvain Robitaille                              syl at alcor.concordia.ca
>
>Systems analyst                                   Concordia University
>Instructional & Information Technology        Montreal, Quebec, Canada
>----------------------------------------------------------------------
>
># Of course, folks using Imp-2 with non-PostgreSQL databases will
># need to adapt the following to the appropriate db.* file
>
>--- lib/db.pgsql.20030108       2000-12-20 15:45:33.000000000 -0500
>+++ lib/db.pgsql 2003-01-08 15:18:25.000000000 -0500
>@@ -26,6 +26,13 @@
>  function imp_add_address ($address, $nickname, $fullname, $user, $server) {
>         global $default;
>
>+        /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+        $address  = addslashes($address);
>+        $nickname = addslashes($nickname);
>+        $fullname = addslashes($fullname);
>+        $user     = addslashes($user);
>+        $server   = addslashes($server);
>+
>         /* post: adds $address, $nickname, $fullname to the addressbook 
> for $user@$server
>            returns true on success and false on failure
>      */
>@@ -41,6 +48,10 @@
>  function imp_check_prefs ($user, $server) {
>         global $_imp_prefs_exist, $default;
>
>+        /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+        $user     = addslashes($user);
>+        $server   = addslashes($server);
>+
>         if (isset($_imp_prefs_exist)) {
>                 return $_imp_prefs_exist;
>         }
>@@ -59,6 +70,11 @@
>  function imp_delete_address ($address, $user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $address  = addslashes($address);
>+   $user     = addslashes($user);
>+   $server   = addslashes($server);
>+
>     /* post: deletes $address from the addressbook of $user@$server
>      returns true on success and false on failure
>      */
>@@ -72,6 +88,10 @@
>  function imp_get_addresses ($user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $user     = addslashes($user);
>+   $server   = addslashes($server);
>+
>     /* post: returns a 2d array of addresses where each
>      element is an array in which element 0 is the address,
>      element 1 is the nickname, and element 2 is the fullname.
>@@ -92,6 +112,10 @@
>  function imp_get_from ($user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $user     = addslashes($user);
>+   $server   = addslashes($server);
>+
>     /* post: returns the signature for the database key $user@$server
>      (a string), or false on failure.
>      */
>@@ -105,6 +129,10 @@
>  function imp_get_fullname ($user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $user     = addslashes($user);
>+   $server   = addslashes($server);
>+
>     /* post: returns the signature for the database key $user@$server
>      (a string), or false on failure.
>      */
>@@ -118,6 +146,10 @@
>  function imp_get_lang ($user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $user     = addslashes($user);
>+   $server   = addslashes($server);
>+
>     /* post: returns the signature for the database key $user@$server
>      (a string), or false on failure.
>      */
>@@ -131,6 +163,10 @@
>  function imp_get_signature ($user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $user     = addslashes($user);
>+   $server   = addslashes($server);
>+
>     /* post: returns the signature for the database key $user@$server
>      (a string), or false on failure.
>      */
>@@ -144,6 +180,11 @@
>  function imp_set_from ($from, $user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $from     = addslashes($from);
>+   $user     = addslashes($user);
>+   $server   = addslashes($server);
>+
>     /* post: sets the replyto to $from for the database key $user@$server
>      returns true on success and false on failure
>      */
>@@ -165,6 +206,11 @@
>  function imp_set_fullname ($fullname, $user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $fullname = addslashes($fullname);
>+   $user     = addslashes($user);
>+   $server   = addslashes($server);
>+
>     /* post: sets the fullname to $fullname for the database key 
> $user@$server
>      returns true on success and false on failure
>      */
>@@ -186,6 +232,11 @@
>  function imp_set_lang ($lang, $user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $lang     = addslashes($lang);
>+   $user     = addslashes($user);
>+   $server   = addslashes($server);
>+
>     /* post: sets the language to $lang for the database key $user@$server
>      returns true on success and false on failure
>      */
>@@ -208,6 +259,11 @@
>  function imp_set_signature ($signature, $user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $signature = addslashes($signature);
>+   $user      = addslashes($user);
>+   $server    = addslashes($server);
>+
>     /* post: sets the signature to $signature for the database key 
> $user@$server
>      returns true on success and false on failure
>      */
>@@ -230,6 +286,14 @@
>  function imp_update_address ($old_address, $address, $nickname, 
> $fullname, $user, $server) {
>     global $default;
>
>+   /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */
>+   $old_address = addslashes($old_address);
>+   $address     = addslashes($address);
>+   $nickname    = addslashes($nickname);
>+   $fullname    = addslashes($fullname);
>+   $user        = addslashes($user);
>+   $server      = addslashes($server);
>+
>     /* post: changes the entry for $old_address to $address, $nickname, 
> $fullname.
>      returns true on success and false on failure
>      */

More information about the dev mailing list