Potential SQL injection vulnerability in Apache::AuthCAS

2007-12-09T00:00:00
ID SECURITYVULNS:DOC:18600
Type securityvulns
Reporter Securityvulns
Modified 2007-12-09T00:00:00

Description

Some weeks ago, I sent the following message to David Castro, the author of Apache::AuthCAS. As there hasn't been any reply and the guys at ja-sig.org haven't been able or willing to look into it, perhaps there is somebody here who wants to have a closer look at this?

CAS is the Central Authentication Service that seems to be used in several large, mainly academic, networks.

I believe I have found an SQL injection vulnerability in Apache::AuthCAS, the perl module used to authenticate users of various web sites against a CAS server. That is, I haven't been able to verify it as I don't have a working system here (and didn't want to hack around in others'); my colleague Dirk Stander and I just came across it while looking for candidates for a web authentication system and it seems fairly obvious from looking at the source:

In line 516 of the CPAN version [http://search.cpan.org/~dcastro/Apache-AuthCAS-0.4/lib/Apache/AuthCAS.pm], the session ID is extracted from the cookie as

$cookie =~ /.$SESSION_COOKIE_NAME=([^;]+)(\s;.|\s$)/; $sid = $1 || "";

then it is passed to get_session_data() iin line 544 without sanitizing it. get_session_data() simply inserts $sid into SQL in line 1005:

my $sth = $dbh->prepare("SELECT last_accessed, uid, pgtiou FROM $DB_SESSION_TABLE WHERE id='$sid';");

Manipulating your cookie to contain a session ID of "x' OR 'x'='x" or someting equivalent wouldn't be caught. As this way of inserting arguments into SQL is used throughout the module, there are other places where it is potentially even more dangerous, like the INSERT in line 974, although we didn't check the program flow to this function.

regards, Matthias -- I prefer encrypted and signed messages. KeyID: FAC37665 Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665