Security Vulnerability: Cookies and null byte character

[eluser]hootersvip[/eluser]
Hi guys,

Our security guys have found a possible security vulnerabilty in CodeIgniter 1.5.4:

If you set the session value to a null byte:

Code:

Cookie: ci_session=%\0\0

and are using database to support your sessions, it will display an SQL error:

Code:

<h1>An Error Was Encountered</h1>
  <p>Error Number: </p><p></p><p>SELECT *
FROM ci_session
WHERE session_id = ' '
AND session_user_agent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;'</p>

In addition this will expose you to a possible SQL injection. Can anybody suggest a solution to this issue?

Cheers,

Hooters VIP

[eluser]hootersvip[/eluser]
I should add that the null byte character does not contain backslashes (added it to get past the validation).

[eluser]Jake Grice[/eluser]
That's very interesting as I am always over-paranoid about SQL injection.

I'm using the "default" session library or whatever... So I don't think it's in databases. I'm definitely going to check back and see what progresses with this issue.

[eluser]GSV Sleeper Service[/eluser]
[quote author="hootersvip" date="1222162379"]Can anybody suggest a solution to this issue? [/quote]
upgrade to the latest version?

I don't have a copy of 1.5.4, but going by 1.6.3 you should be looking in Input.php in the libraries folder.

[eluser]hootersvip[/eluser]
Exactly the answer I wasn't looking for, but it may be the best one. Unfortunately, changing the version means a whole lot of QA effort, since we have multiple applications using CI - all of them need to be tested in their entirety for regression. Yeehaw...

[eluser]xwero[/eluser]
Use another session library?

[eluser]GSV Sleeper Service[/eluser]
well, I'm using 1.6.3 here at work, and I'm using the native sessions plugin so I can't test your problem at the moment.
have you tried this null byte hack on a 1.6.3 install? I'm fairly confident that you'll only have to patch the Input library.

[eluser]hootersvip[/eluser]
@xwero - OBsession? Any recommendations?

@GSV - Yeah, that's on the slate for tomorrow. Thanks!

[eluser]Derek Jones[/eluser]
Thanks for the report, hootersvip, I'll take a look at this compared to the current code in the SVN. We make old versions available for download, but updates, including security fixes, are only maintained in the current version. We work very hard to make upgrades retain backwards compatibility, and to be a fairly painless process.

I'm curious as to what version of PHP and MySQL you are running. Null characters should be escaped by mysql_real_escape_string().

[eluser]Derek Jones[/eluser]
Incidentally, you can always feel free to email us directly with security concerns, even if just to point to a forum thread, as we take them seriously, but don't always have time to monitor forum activity.