TWIG SQL query bugs

[Luki Rustianto <luki () karet org>]

I can't find the person who really in charge on developing twig, so I
mail about this bug to the person who announce new version of twig
about two month ago.


--------------------------------------------------------------------------
Subject:              Unquoted SQL query => potential damage
Software package:     TWIG Webmail
Software Site:        HTTP://twig.screwdriver.net
Version tested:       2.6.2 and below (used with MySQL, didn't check others)
Platform:             Platform independent with PHP
Result:               Any user with valid email account can delete or change
                      other user's data on mysql database.
Proof Of Concept:     Attached

Problem Description:
=====================
Unquoted SQL query string is a little mistake that could lead to potential
damage.
TWIG free PHP Webmail system is affected. As we know, mysql accept unquoted
query string if the field type is int, mediumint, tinyint or like.

The query:
DELETE FROM mytable WHERE id='1' AND owner='karet'
have the same effect with:
DELETE FROM mytable WHERE id=1 AND owner='karet'

However additional caution must be made if variable 'id' values on above
example is a user suplied data thus could make that user to have control
over sql query and made a modified version of query like:

DELETE FROM mytable WHERE id=1 OR id=2 OR id=3 AND owner='karet'
                              ~~~~~~~~~~~~~~~~
                              (modified value)

the modified query string above, ofcourse, have diferent meanings :)
value of "$id=1" is changed to "$id=1 OR id=2 OR id=3".

Doing 'grep -r "WHERE id=" <TWIG installation dir>/lib/*' will output
LOT of intresting informations of which function has query string
match our need - this may varies depend on TWIG version you have.

Some of them:

groups/personal.groups.inc.php3:
$query = "UPDATE " . $dbconfig["groups_table"] . " SET groupname='" .
         $newname . "' WHERE id=" . $groupid;
[... lots other]

schedule/schedule.edit.inc.php3:
$query = "DELETE FROM " . $dbconfig["schedule_table"] . " WHERE id = " .
         $data["id"] . " AND (" . $groupquery . ")";
[... lots other]

... and other files.

Or if you really want to clearly see and debug every query made by TWIG
then with help of query system on TWIG it can be done easilly :)
TWIG has a function named 'dbQuery' that always called on every
sql query request.

(if used with mysql it's on <twig dir>/lib/db/mysql.db.inc.php3)
Add the following code at the top of   Function dbQuery( $statement )
to be like (with TWIG 2.6.2):

[SNIP]
$fp = fopen ("/tmp/twig_sql.log", "a");
fwrite ($fp, $statement);
fclose($fp);
[/SNIP]

so every sql request string will be appended to file "/tmp/twig_sql.log".
> From that file you can see every action performed and audit it.

Solutions:
=============
just simply add a proper quoted sign "'" to query string that using
int,mediumint, tinyint and so like field type as WHERE clause.
If the $id values on example above lied between a quoted sign then the query
will looks like:

DELETE FROM mytable WHERE id='1 OR id=2 OR id=3' AND owner='karet'

which will output no result at all ... (on normal operation we can not
inject own quote "'" sign as PHP will filter and change it to "\'")


NB: thx to echo for let me test it (also for the beers ;p).


==============================
jenggo <luki () karet org>
http://www.karet.org
=============================

Attachment: twig.txt
Description: text