首页 -> 安全研究
安全研究
安全漏洞
Courier-IMAP用户名SQL注入漏洞
发布日期:2003-02-04
更新日期:2003-02-10
受影响系统:
inter7 Courier-IMAP 1.6不受影响系统:
Double Precision Incorporated Courier MTA 0.37.3
- Debian Linux 3.0 alpha
- Debian Linux 3.0 IA-32
- Debian Linux 3.0 arm
- Debian Linux 3.0 powerpc
- Debian Linux 3.0 68k
- Debian Linux 3.0 i386
- Debian Linux 3.0 sparc
inter7 Courier-IMAP 1.7描述:
BUGTRAQ ID: 6738
CVE(CAN) ID: CVE-2003-0040
Courier-IMAP是一个提供IMAP协议访问Maildir的邮件服务程序。
Courier-IMAP在验证阶段不充分过滤用户提供的用户名数据,远程攻击者可以利用这个漏洞进行SQL注入攻击,破坏数据库。
Courier-IMAP中的PostgreSQL_auth验证模块存在漏洞,在把用户名传递给PostgreSQL引擎的时候,没有充分过滤恶意字符,攻击者可以在用户名中插入任意SQL命令,更改原来的SQL逻辑,导致获得数据库敏感信息,或者进行其他数据库破坏等恶意活动。
<*来源:Courier-IMAP
链接:http://www.debian.org/security/2003/dsa-247
*>
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-247-1)以及相应补丁:
DSA-247-1:New courier packages fix SQL injection
链接:http://www.debian.org/security/2003/dsa-247
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3.dsc
Size/MD5 checksum: 846 06c98336ee0e40813eac24cb59574de8
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3.diff.gz
Size/MD5 checksum: 12649 bac28bb29418f9d965aedeb819876ebc
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3.orig.tar.gz
Size/MD5 checksum: 3238268 f5f742679ac97906fc306763e08e1ed8
Alpha architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_alpha.deb
Size/MD5 checksum: 43286 d73b6054896137f6593a4b438da54fdc
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_alpha.deb
Size/MD5 checksum: 9970 f8141363587679a4badc7c1c7e714751
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_alpha.deb
Size/MD5 checksum: 7700 6b774c8584957bee71f0cf4f66aac69a
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_alpha.deb
Size/MD5 checksum: 9748 d75800272a41656b4324131a8de3a47c
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_alpha.deb
Size/MD5 checksum: 93626 7cb6a750dfcd12d70cc792d6c0c25e44
ARM architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_arm.deb
Size/MD5 checksum: 31688 76f041c97200593230de7d75b74a27fa
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_arm.deb
Size/MD5 checksum: 9982 0391cd8403375b732364729533195baa
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_arm.deb
Size/MD5 checksum: 7710 39351976e1843f6c376864d578c88f8a
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_arm.deb
Size/MD5 checksum: 9762 c012baa4e698f48e6e74562f6f626d83
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_arm.deb
Size/MD5 checksum: 85796 b9ef96842ea07aa90f55e5ed9a22fcc6
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_i386.deb
Size/MD5 checksum: 31702 06f4eb45fef2f3bdc3240489e54ddb94
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_i386.deb
Size/MD5 checksum: 9986 584fe5ff49d360476ebf7ae799f55d78
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_i386.deb
Size/MD5 checksum: 7702 3deb08407cafe11d7f6560992aab1548
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_i386.deb
Size/MD5 checksum: 9754 8281e82d5e9a586d9f7c65e56cdb9d5e
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_i386.deb
Size/MD5 checksum: 85934 88583de865d2a8a71642c573a581b37c
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_ia64.deb
Size/MD5 checksum: 52488 9f27903c254017232f683d241291554a
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_ia64.deb
Size/MD5 checksum: 9966 c7892d31d784570e0b850f830de54b7a
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_ia64.deb
Size/MD5 checksum: 7702 432d440f8eed3064669685ba2137e675
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_ia64.deb
Size/MD5 checksum: 9744 16db3ffd78cf03be43f42d3dbad42abd
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_ia64.deb
Size/MD5 checksum: 99776 b4ad9bfa2138c815e6ef0bdce451ad1f
HP Precision architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_hppa.deb
Size/MD5 checksum: 38698 6354e42a8825547180e1d72ce88d4411
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_hppa.deb
Size/MD5 checksum: 9988 a3840b6d07ecbbb331013b2974793f9b
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_hppa.deb
Size/MD5 checksum: 7718 2814bb4c2ba66acfd115592696e11c20
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_hppa.deb
Size/MD5 checksum: 9760 fd04955f15e8bcbe9beedaafd63451d4
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_hppa.deb
Size/MD5 checksum: 89728 5790238a67c16dddad04cc4dedc59402
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_m68k.deb
Size/MD5 checksum: 30386 d9371b8ca860a6c8cc528398d443dc24
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_m68k.deb
Size/MD5 checksum: 9996 3f02bfe83fd648b29334f5ba13ef935a
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_m68k.deb
Size/MD5 checksum: 7726 43da03e0fb11e24d1a7942594caa2755
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_m68k.deb
Size/MD5 checksum: 9782 258b1435fb6e52dd6dc9aacbe316a37e
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_m68k.deb
Size/MD5 checksum: 84936 7d4b51710a752d7f6a53e75b90485441
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_mips.deb
Size/MD5 checksum: 37616 d1d9383cbba7b1051729d82a27923808
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_mips.deb
Size/MD5 checksum: 9988 acd934a8f93dac2ea887fd86394e24d8
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_mips.deb
Size/MD5 checksum: 7708 0297eb5910e632c7c06541aaca5773a3
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_mips.deb
Size/MD5 checksum: 9760 56a6a6b1c5ba18de262805bbb286a4ae
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_mips.deb
Size/MD5 checksum: 89832 c5195e55151d73bb957aa1a438a44580
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_mipsel.deb
Size/MD5 checksum: 37664 ca340f34aa9ca4f4d4dca605c07a65ce
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_mipsel.deb
Size/MD5 checksum: 9994 262df132d4996cac3011e6721da75864
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_mipsel.deb
Size/MD5 checksum: 7718 185ff2b06601d9be54ff24ff9970b7c8
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_mipsel.deb
Size/MD5 checksum: 9768 cf246ff96396e47d46bbb93051aa2352
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_mipsel.deb
Size/MD5 checksum: 89710 dd9288abb1040c1e7abfcd60d77853e3
PowerPC architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_powerpc.deb
Size/MD5 checksum: 34250 18d79adacdd40dc28c0a98b935123a44
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_powerpc.deb
Size/MD5 checksum: 9984 7fabecb34944b6c91c3d715828ff1c29
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_powerpc.deb
Size/MD5 checksum: 7702 7879e85df4b5784d88e4d399151376ce
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_powerpc.deb
Size/MD5 checksum: 9762 8bc79b825932c9fc610eb0da1a0ae363
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_powerpc.deb
Size/MD5 checksum: 87626 e35e6dfcae22dc627323bc1c0b9a708c
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_s390.deb
Size/MD5 checksum: 32818 57a6010ead7b7198e3821d1ecc59b3f7
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_s390.deb
Size/MD5 checksum: 9978 db8df580e4191d72f6816ec16e08e31b
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_s390.deb
Size/MD5 checksum: 7704 5b27db7bc128e9321bbe3e5ba6e73bc7
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_s390.deb
Size/MD5 checksum: 9756 a12f26e225fa2afe304177a0fc3628ec
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_s390.deb
Size/MD5 checksum: 87528 59e1740f6ef624130ff3e27ed81b92d4
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-authpostgresql_0.37.3-3.3_sparc.deb
Size/MD5 checksum: 32670 f44e6c6b05e3b4eb5badaa0c02b982fb
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_sparc.deb
Size/MD5 checksum: 9980 da61d5ef0adf05de8a8f336630c4b42b
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-mta-ssl_0.37.3-3.3_sparc.deb
Size/MD5 checksum: 7710 16c0477e0c3c5143e0b78824b16ca986
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_sparc.deb
Size/MD5 checksum: 9758 1aff618c6a6547f6ad4a2f425d65ed48
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_sparc.deb
Size/MD5 checksum: 89076 12602177603319651d1084cd86edbebf
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
inter7
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Inter7 Upgrade Courier-IMAP 1.7.0
http://www.inter7.com/courierframe.html
浏览次数:6422
严重程度:0(网友投票)
绿盟科技给您安全的保障