Bug 42797 (CVE-2003-0025)

Summary: VUL-0: CVE-2003-0025: imp: SQL injection
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Tomas Crhak <tcrhak>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2003-0025: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: putonftp template

Description Thomas Biege 2003-07-09 20:16:41 UTC 
Hi, 
the following was reported by Conectiva. 
Are we affected too.? 
 
 
- -------------------------------------------------------------------------- 
CONECTIVA LINUX SECURITY ANNOUNCEMENT  
- -------------------------------------------------------------------------- 
 
PACKAGE   : imp 
SUMMARY   : SQL code injection vulnerability 
DATE      : 2003-07-08 11:00:00 
ID        : CLA-2003:690 
RELEVANT 
RELEASES  : 7.0, 8 
 
- ------------------------------------------------------------------------- 
 
DESCRIPTION 
 Imp[1] is a webmail system which uses the Horde framework. 
  
 Jouko Pynnonen reported[3] that the Imp webmail version 2.x has a SQL 
 injection vulnerability[2]. 
  
 Imp can optionally store user preferences, contacts list and session 
 IDs in a SQL database. A remote attacker can use this vulnerability 
 to execute SQL commands and possibly get session IDs and steal 
 another user's webmail session. Other consequences are possible and 
 depend on the privileges Imp has in the database. Usually, these 
 privileges are limited to the Imp database itself, but this is site 
 and database specific. 
  
 This update also contains some fixes for Imp and Horde to make them 
 work with PHP 4.3.2. 
 
 
SOLUTION 
 It is recommended that all Imp users upgrade their packages. 
  
  
 REFERENCES 
 1. http://www.horde.org/imp/ 
 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0025 
 3. http://marc.theaimsgroup.com/?l=bugtraq&m=104204786206563&w=2 
 
 
UPDATED PACKAGES 
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/horde-1.2.8-1U70_2cl.src.rpm 
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/imp-2.2.8-1U70_3cl.src.rpm 
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/horde-1.2.8-1U70_2cl.noarch.rpm 
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/horde-mysql-1.2.8-1U70_2cl.noarch.rpm 
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/horde-pgsql-1.2.8-1U70_2cl.noarch.rpm 
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/horde-shm-1.2.8-1U70_2cl.noarch.rpm 
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/imp-2.2.8-1U70_3cl.noarch.rpm 
ftp://atualizacoes.conectiva.com.br/8/SRPMS/horde-1.2.8-2U80_1cl.src.rpm 
ftp://atualizacoes.conectiva.com.br/8/SRPMS/imp-2.2.8-2U80_2cl.src.rpm 
ftp://atualizacoes.conectiva.com.br/8/RPMS/horde-1.2.8-2U80_1cl.noarch.rpm 
ftp://atualizacoes.conectiva.com.br/8/RPMS/horde-mysql-1.2.8-2U80_1cl.noarch.rpm 
ftp://atualizacoes.conectiva.com.br/8/RPMS/horde-pgsql-1.2.8-2U80_1cl.noarch.rpm 
ftp://atualizacoes.conectiva.com.br/8/RPMS/horde-shm-1.2.8-2U80_1cl.noarch.rpm 
ftp://atualizacoes.conectiva.com.br/8/RPMS/imp-2.2.8-2U80_2cl.noarch.rpm 
 
 
ADDITIONAL INSTRUCTIONS 
 The apt tool can be used to perform RPM packages upgrades: 
 
 - run:                 apt-get update 
 - after that, execute: apt-get upgrade 
 
 Detailed instructions reagarding the use of apt and upgrade examples  
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en 
 
- ------------------------------------------------------------------------- 
All packages are signed with Conectiva's GPG key. The key and instructions 
on how to import it can be found at  
http://distro.conectiva.com.br/seguranca/chave/?idioma=en 
Instructions on how to check the signatures of the RPM packages can be 
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en 
 
- ------------------------------------------------------------------------- 
All our advisories and generic update instructions can be viewed at 
http://distro.conectiva.com.br/atualizacoes/?idioma=en 
 
- ------------------------------------------------------------------------- 
Copyright (c) 2003 Conectiva Inc. 
http://www.conectiva.com
Comment 1 Thomas Biege 2003-07-09 20:16:41 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2003-07-11 17:38:18 UTC 
Created attachment 13076 [details]
putonftp template

We need a security update for this one...
Comment 3 Tomas Crhak 2003-07-11 19:36:29 UTC 
We have already had a security update for db injection (patches injection and
injection-db) - is this something new or where those fixes incomplete?
Comment 4 Thomas Biege 2003-07-11 19:51:44 UTC 
Oh ok. Do you checked their patches from the source rpm?
Comment 5 Thomas Biege 2003-07-18 16:38:57 UTC 
Some news here? Was it the same bug?
Comment 6 Tomas Crhak 2003-07-28 21:02:08 UTC 
The patches are different, but I believe they are attempting to fix the same
bug. Conectiva has patches for oracle and oci, which we do not have.
It should be more easy for you to compare the patches, as
1. IIRC you have created the SuSE patches
2. you are a security guru
Comment 7 Thomas Biege 2003-07-30 14:56:19 UTC 
If you have security-related question you can't solve on your own, 
send us an email (security-team@) please.
Comment 8 Thomas Biege 2003-08-12 17:51:04 UTC 
I think there was some misunderstanding here, sorry. 
 
I'll close this bug now.
Comment 9 Thomas Biege 2009-10-13 19:36:56 UTC 
CVE-2003-0025: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)