Thread

Hi guys,

Our security guys have found a possible security vulnerabilty in CodeIgniter 1.5.4:

If you set the session value to a null byte:

Cookie: ci_session=%\0\0

and are using database to support your sessions, it will display an SQL error:

<h1>An Error Was Encountered</h1>
  Error Number: 

SELECT *
FROM ci_session
WHERE session_id = ' '
AND session_user_agent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;'

In addition this will expose you to a possible SQL injection. Can anybody suggest a solution to this issue?

Cheers,

Hooters VIP

I should add that the null byte character does not contain backslashes (added it to get past the validation).

That’s very interesting as I am always over-paranoid about SQL injection.

I’m using the “default” session library or whatever… So I don’t think it’s in databases. I’m definitely going to check back and see what progresses with this issue.

Can anybody suggest a solution to this issue?

upgrade to the latest version?

I don’t have a copy of 1.5.4, but going by 1.6.3 you should be looking in Input.php in the libraries folder.

Exactly the answer I wasn’t looking for, but it may be the best one. Unfortunately, changing the version means a whole lot of QA effort, since we have multiple applications using CI - all of them need to be tested in their entirety for regression. Yeehaw…

Use another session library?

well, I’m using 1.6.3 here at work, and I’m using the native sessions plugin so I can’t test your problem at the moment.
have you tried this null byte hack on a 1.6.3 install? I’m fairly confident that you’ll only have to patch the Input library.

@xwero - OBsession? Any recommendations?

@GSV - Yeah, that’s on the slate for tomorrow. Thanks!

Thanks for the report, hootersvip, I’ll take a look at this compared to the current code in the SVN.  We make old versions available for download, but updates, including security fixes, are only maintained in the current version.  We work very hard to make upgrades retain backwards compatibility, and to be a fairly painless process.

I’m curious as to what version of PHP and MySQL you are running.  Null characters should be escaped by mysql_real_escape_string().

Incidentally, you can always feel free to email us directly with security concerns, even if just to point to a forum thread, as we take them seriously, but don’t always have time to monitor forum activity.

For what it’s worth, I cannot duplicate against the SVN.

@Derek - thanks. Well, our session database is SQL Server, so we have to use FreeTDS to make the connection happen. I will try to update the Input library only and see if it works out. Otherwise, I may have to consider upgrading to 1.6.3.

Ah, MS SQL server?  Well the update might not impact this for you then, as the real issue you’re having here is that the null character is not being escaped in the query.  Null characters will not be automatically removed from cookies in the 1.6.3 Input library, unless you are using global XSS filtering.  Sounds like this might be something worth adding to escape_str() in the MS SQL driver.  Attached is a modified version of the 1.5.4 MS SQL database driver; backup and replace your current one with this, and see if it solves the problem for you.  It’s a little more robust, removing all non-printing control characters which might cause the same problem as a null character.  Please let me know if it works for you.

@Derek - just wanted to say thanks! Using the “Modify Headers” FF extension, our application just acted as if there was no session—no database error. The error was handled smoothly - I believe our security guys will be happy with this patch. Cheers from Taiwan!

Great, thanks for the feedback.  I’ve rolled in a similar fix to the svn, so if you do update prior to our next release, make sure you grab the latest driver from the subversion.