Vulnerability in session_handler.php?

Hi Olaf,

You fixed a problem which someone reported as a possible SQL injection attack. i.e. an attacker could enter "administrator' or 'a'='a" for the username and get in without a password.

It looks like there is a similar although more difficult to exploit problem in session_handler.php function _read and others

    function _read($ses_id) {

        $session_sql = "SELECT * FROM " . $this->ses_table

                     . " WHERE ses_id = '$ses_id'";



$ses_id is used without being checked. I believe $ses_id is the session id provided from the users browser. A hacker could set this to any value, causing undesirable effects e.g. DROP sessions

I think the code should be

    function _read($ses_id) {

   $ses_id = mysql_real_escape_string($ses_id);
        $session_sql = "SELECT * FROM " . $this->ses_table

                     . " WHERE ses_id = '$ses_id'";


This also applies to other functions in session_handler.php

Mike

[Free WordPress Themes]

how do you wanna access the database via the browser while this class is accessed by the session handler?

will say that some hacker need to create a session id how do you do that?

Not sure what you are saying.

All I will say is I am not an expert in this area but I have come across snippets of code that perform the same function as yours. Where they don't use mysql_real_escape_string people have criticised them e.g. bottom of page here http://www.hardened-php.net/php_security_guide_considered_harmful.51.html

Chris Shiflet uses mysql_real_escape_string  here http://shiflett.org/articles/storing-sessions-in-a-database

I dont know how you would set the sessionid but I have read that it is possible.

Mike

[Free WordPress Themes]

only if the user can create the session id than its dangerous because of a SQL injection (via this ID).

sure you can protect this code but if you need this to do you have maybe more security issues because of a unsafe server configuration.

sure it's always important to protect you queries for sql injections but first of all if there is some user input and that not the case here...

only if the user can create the session id than its dangerous because of a SQL injection (via this ID).

sure you can protect this code but if you need this to do you have maybe more security issues because of a unsafe server configuration.

sure it's always important to protect you queries for sql injections but first of all if there is some user input and that not the case here...

Just wanted to say that I have found a hacking tool that allows modification of session id. I don't want to post a link as its not a good idea. I understand it is unlikely anyone would be vulnerable to this attack but my application has quite high security requirements so I am going to make the suggested modifications on my own.

Mike

[Free WordPress Themes]

only if the user can create the session id than its dangerous because of a SQL injection (via this ID).

sure you can protect this code but if you need this to do you have maybe more security issues because of a unsafe server configuration.

sure it's always important to protect you queries for sql injections but first of all if there is some user input and that not the case here...

Just wanted to say that I have found a hacking tool that allows modification of session id. I don't want to post a link as its not a good idea. I understand it is unlikely anyone would be vulnerable to this attack but my application has quite high security requirements so I am going to make the suggested modifications on my own.

Mike

Mike, please pm me the link

[Guest]

[37.736]

Googlebot, Yahoo crawler, Baidu Spider, Msnbot, Gigabot