TWIG SQL query bugs

Type securityvulns
Reporter Securityvulns
Modified 2001-05-29T00:00:00


I can't find the person who really in charge on developing twig, so I mail about this bug to the person who announce new version of twig about two month ago.

Subject: Unquoted SQL query => potential damage Software package: TWIG Webmail Software Site: HTTP:// Version tested: 2.6.2 and below (used with MySQL, didn't check others) Platform: Platform independent with PHP Result: Any user with valid email account can delete or change other user's data on mysql database. Proof Of Concept: Attached

Problem Description:

Unquoted SQL query string is a little mistake that could lead to potential damage. TWIG free PHP Webmail system is affected. As we know, mysql accept unquoted query string if the field type is int, mediumint, tinyint or like.

The query: DELETE FROM mytable WHERE id='1' AND owner='karet' have the same effect with: DELETE FROM mytable WHERE id=1 AND owner='karet'

However additional caution must be made if variable 'id' values on above example is a user suplied data thus could make that user to have control over sql query and made a modified version of query like:

DELETE FROM mytable WHERE id=1 OR id=2 OR id=3 AND owner='karet' ~~~~~~~~~~~~~~~~ (modified value)

the modified query string above, ofcourse, have diferent meanings :) value of "$id=1" is changed to "$id=1 OR id=2 OR id=3".

Doing 'grep -r "WHERE id=" <TWIG installation dir>/lib/*' will output LOT of intresting informations of which function has query string match our need - this may varies depend on TWIG version you have.

Some of them:

groups/ $query = "UPDATE " . $dbconfig["groups_table"] . " SET groupname='" . $newname . "' WHERE id=" . $groupid; [... lots other]

schedule/ $query = "DELETE FROM " . $dbconfig["schedule_table"] . " WHERE id = " . $data["id"] . " AND (" . $groupquery . ")"; [... lots other]

... and other files.

Or if you really want to clearly see and debug every query made by TWIG then with help of query system on TWIG it can be done easilly :) TWIG has a function named 'dbQuery' that always called on every sql query request.

(if used with mysql it's on <twig dir>/lib/db/ Add the following code at the top of Function dbQuery( $statement ) to be like (with TWIG 2.6.2):

[SNIP] $fp = fopen ("/tmp/twig_sql.log", "a"); fwrite ($fp, $statement); fclose($fp); [/SNIP]

so every sql request string will be appended to file "/tmp/twig_sql.log".

DELETE FROM mytable WHERE id='1 OR id=2 OR id=3' AND owner='karet'

which will output no result at all ... (on normal operation we can not inject own quote "'" sign as PHP will filter and change it to "\'")

NB: thx to echo for let me test it (also for the beers ;p).

============================== jenggo <> =============================