Potential SQL injection vulnerability in Apache::AuthCAS

2007.12.13
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Some weeks ago, I sent the following message to David Castro, the author of Apache::AuthCAS. As there hasn't been any reply and the guys at ja-sig.org haven't been able or willing to look into it, perhaps there is somebody here who wants to have a closer look at this? CAS is the Central Authentication Service that seems to be used in several large, mainly academic, networks. I believe I have found an SQL injection vulnerability in Apache::AuthCAS, the perl module used to authenticate users of various web sites against a CAS server. That is, I haven't been able to verify it as I don't have a working system here (and didn't want to hack around in others'); my colleague Dirk Stander and I just came across it while looking for candidates for a web authentication system and it seems fairly obvious from looking at the source: In line 516 of the CPAN version [http://search.cpan.org/~dcastro/Apache-AuthCAS-0.4/lib/Apache/AuthCAS.p m], the session ID is extracted from the cookie as $cookie =~ /.*$SESSION_COOKIE_NAME=([^;]+)(\s*;.*|\s*$)/; $sid = $1 || ""; then it is passed to get_session_data() iin line 544 without sanitizing it. get_session_data() simply inserts $sid into SQL in line 1005: my $sth = $dbh->prepare("SELECT last_accessed, uid, pgtiou FROM $DB_SESSION_TABLE WHERE id='$sid';"); Manipulating your cookie to contain a session ID of "x' OR 'x'='x" or someting equivalent wouldn't be caught. As this way of inserting arguments into SQL is used throughout the module, there are other places where it is potentially even more dangerous, like the INSERT in line 974, although we didn't check the program flow to this function. regards, Matthias -- I prefer encrypted and signed messages. KeyID: FAC37665 Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHWJaqSNkXAPrDdmURA7eAAJ9BxycIQOy6N1K2KQ8rm4b6+MH/ZwCfXOX1 ylpnPnNXRQA7MlMp+tBw3mw= =sose -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top