Security Vulnerability: Cookies and null byte character

[eluser]Derek Jones[/eluser]
For what it's worth, I cannot duplicate against the SVN.

[eluser]hootersvip[/eluser]
@Derek - thanks. Well, our session database is SQL Server, so we have to use FreeTDS to make the connection happen. I will try to update the Input library only and see if it works out. Otherwise, I may have to consider upgrading to 1.6.3.

[eluser]Derek Jones[/eluser]
Ah, MS SQL server? Well the update might not impact this for you then, as the real issue you're having here is that the null character is not being escaped in the query. Null characters will not be automatically removed from cookies in the 1.6.3 Input library, unless you are using global XSS filtering. Sounds like this might be something worth adding to escape_str() in the MS SQL driver. Attached is a modified version of the 1.5.4 MS SQL database driver; backup and replace your current one with this, and see if it solves the problem for you. It's a little more robust, removing all non-printing control characters which might cause the same problem as a null character. Please let me know if it works for you.

[eluser]hootersvip[/eluser]
@Derek - just wanted to say thanks! Using the "Modify Headers" FF extension, our application just acted as if there was no session -- no database error. The error was handled smoothly - I believe our security guys will be happy with this patch. Cheers from Taiwan!

[eluser]Derek Jones[/eluser]
Great, thanks for the feedback. I've rolled in a similar fix to the svn, so if you do update prior to our next release, make sure you grab the latest driver from the subversion.