Webdigity Webmaster Forums - Vulnerability in session

pagedown

Sun 29 April 2007, 08:27 pm GMT +0300

Hi Olaf,

You fixed a problem which someone reported as a possible SQL injection attack. i.e. an attacker could enter "administrator' or 'a'='a" for the username and get in without a password.

It looks like there is a similar although more difficult to exploit problem in session_handler.php function _read and others

function _read($ses_id) {

$session_sql = "SELECT * FROM " . $this->ses_table

. " WHERE ses_id = '$ses_id'";

$ses_id is used without being checked. I believe $ses_id is the session id provided from the users browser. A hacker could set this to any value, causing undesirable effects e.g. DROP sessions

I think the code should be

function _read($ses_id) {

$ses_id = mysql_real_escape_string($ses_id);
$session_sql = "SELECT * FROM " . $this->ses_table

. " WHERE ses_id = '$ses_id'";

This also applies to other functions in session_handler.php

Mike

olaf

Sun 29 April 2007, 08:34 pm GMT +0300

how do you wanna access the database via the browser while this class is accessed by the session handler?

will say that some hacker need to create a session id how do you do that?

pagedown

Sun 29 April 2007, 09:03 pm GMT +0300

Not sure what you are saying.

All I will say is I am not an expert in this area but I have come across snippets of code that perform the same function as yours. Where they don't use mysql_real_escape_string people have criticised them e.g. bottom of page here http://www.hardened-php.net/php_security_guide_considered_harmful.51.html

Chris Shiflet uses mysql_real_escape_string here http://shiflett.org/articles/storing-sessions-in-a-database

I dont know how you would set the sessionid but I have read that it is possible.

Mike

olaf

Sun 29 April 2007, 09:53 pm GMT +0300

only if the user can create the session id than its dangerous because of a SQL injection (via this ID).

sure you can protect this code but if you need this to do you have maybe more security issues because of a unsafe server configuration.

sure it's always important to protect you queries for sql injections but first of all if there is some user input and that not the case here...

pagedown

Mon 30 April 2007, 11:32 am GMT +0300

Quote from: Olaf on Apr 29, 2007, 09:53:02 PM

only if the user can create the session id than its dangerous because of a SQL injection (via this ID).

sure you can protect this code but if you need this to do you have maybe more security issues because of a unsafe server configuration.

sure it's always important to protect you queries for sql injections but first of all if there is some user input and that not the case here...

Just wanted to say that I have found a hacking tool that allows modification of session id. I don't want to post a link as its not a good idea. I understand it is unlikely anyone would be vulnerable to this attack but my application has quite high security requirements so I am going to make the suggested modifications on my own.

Mike

olaf

Mon 30 April 2007, 12:42 pm GMT +0300

Quote from: pagedown on Apr 30, 2007, 11:32:32 AM

Quote from: Olaf on Apr 29, 2007, 09:53:02 PM

only if the user can create the session id than its dangerous because of a SQL injection (via this ID).

sure you can protect this code but if you need this to do you have maybe more security issues because of a unsafe server configuration.

sure it's always important to protect you queries for sql injections but first of all if there is some user input and that not the case here...

Just wanted to say that I have found a hacking tool that allows modification of session id. I don't want to post a link as its not a good idea. I understand it is unlikely anyone would be vulnerable to this attack but my application has quite high security requirements so I am going to make the suggested modifications on my own.

Mike

Mike, please pm me the link

Vulnerability in session_handler.php?