Z-Push SQL Injection Vulnerability in IMAP Backend

A SQL injection vulnerability has been identified in Z-Push versions prior to 2.7.6, specifically within the IMAP backend. The issue arises from unparameterized SQL queries, which allow attackers to inject malicious commands by manipulating the username field during basic authentication. This exploitation could lead to unauthorized access and modification or deletion of sensitive data in a connected third-party database. The vulnerability is present in Z-Push installations that use the IMAP backend and have the IMAP_FROM_SQL_QUERY option enabled.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to access, modify, or delete data in the database. In this case, the vulnerability was exploited to extract database information, such as names and versions.

Reproduction

The vulnerability can be reproduced by sending a crafted username injection payload through the Basic Authentication header. This can be done by using SQL injection techniques, such as appending SQL commands to the username field, which is then processed by the IMAP backend. The injection takes advantage of the unparameterized SQL queries, allowing the attacker to manipulate the SQL query execution and extract or modify database information.

Remediation

Users are advised to upgrade Z-Push to version 2.7.6 or later. Additionally, for those using the IMAP backend, the configuration should be changed to the default or LDAP option in the backend/imap/config.php file.