+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: Security Vulnerability: Cookies and null byte character (/showthread.php?tid=11774)
Pages:
1
2
Security Vulnerability: Cookies and null byte character - El Forum - 09-22-2008
[eluser]hootersvip[/eluser]
Hi guys,
Our security guys have found a possible security vulnerabilty in CodeIgniter 1.5.4:
If you set the session value to a null byte:
Code:
Cookie: ci_session=%\0\0and are using database to support your sessions, it will display an SQL error:
Code:
<h1>An Error Was Encountered</h1>
<p>Error Number: </p><p></p><p>SELECT *
FROM ci_session
WHERE session_id = ' '
AND session_user_agent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;'</p>In addition this will expose you to a possible SQL injection. Can anybody suggest a solution to this issue?
Cheers,
Hooters VIP
Security Vulnerability: Cookies and null byte character - El Forum - 09-23-2008
[eluser]hootersvip[/eluser]
I should add that the null byte character does not contain backslashes (added it to get past the validation).
Security Vulnerability: Cookies and null byte character - El Forum - 09-23-2008
[eluser]Jake Grice[/eluser]
That's very interesting as I am always over-paranoid about SQL injection.
I'm using the "default" session library or whatever... So I don't think it's in databases. I'm definitely going to check back and see what progresses with this issue.
Security Vulnerability: Cookies and null byte character - El Forum - 09-23-2008
[eluser]GSV Sleeper Service[/eluser]
[quote author="hootersvip" date="1222162379"]Can anybody suggest a solution to this issue? [/quote]
upgrade to the latest version?
I don't have a copy of 1.5.4, but going by 1.6.3 you should be looking in Input.php in the libraries folder.
Security Vulnerability: Cookies and null byte character - El Forum - 09-23-2008
[eluser]hootersvip[/eluser]
Exactly the answer I wasn't looking for, but it may be the best one. Unfortunately, changing the version means a whole lot of QA effort, since we have multiple applications using CI - all of them need to be tested in their entirety for regression. Yeehaw...
Security Vulnerability: Cookies and null byte character - El Forum - 09-23-2008
[eluser]xwero[/eluser]
Use another session library?
Security Vulnerability: Cookies and null byte character - El Forum - 09-23-2008
[eluser]GSV Sleeper Service[/eluser]
well, I'm using 1.6.3 here at work, and I'm using the native sessions plugin so I can't test your problem at the moment.
have you tried this null byte hack on a 1.6.3 install? I'm fairly confident that you'll only have to patch the Input library.
Security Vulnerability: Cookies and null byte character - El Forum - 09-23-2008
[eluser]hootersvip[/eluser]
@xwero - OBsession? Any recommendations?
@GSV - Yeah, that's on the slate for tomorrow. Thanks!
Security Vulnerability: Cookies and null byte character - El Forum - 09-23-2008
[eluser]Derek Jones[/eluser]
Thanks for the report, hootersvip, I'll take a look at this compared to the current code in the SVN. We make old versions available for download, but updates, including security fixes, are only maintained in the current version. We work very hard to make upgrades retain backwards compatibility, and to be a fairly painless process.
I'm curious as to what version of PHP and MySQL you are running. Null characters should be escaped by mysql_real_escape_string().
Security Vulnerability: Cookies and null byte character - El Forum - 09-23-2008
[eluser]Derek Jones[/eluser]
Incidentally, you can always feel free to email us directly with security concerns, even if just to point to a forum thread, as we take them seriously, but don't always have time to monitor forum activity.