Vigil@nce: Auth2DB, SQL injection
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can use Unicode data in order to generate a SQL
injection in Auth2DB.
Severity: 2/4
Consequences: user access/rights
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 30/03/2009
IMPACTED PRODUCTS
– Debian Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Auth2DB program is used to store logs in a MySQL database.
The addslashes() PHP function adds a backslash before all special
characters. In Unicode mode, characters can be stored in several
bytes, and thus the mysql_real_escape_string() function has to be
used.
However, the sec_addESC() function of the Auth2DB/www/security.php
file uses addslashes() instead of mysql_real_escape_string().
An attacker can therefore use Unicode data in order to generate a
SQL injection in Auth2DB.
CHARACTERISTICS
Identifiers: 521823, BID-34287, CVE-2009-1208, DSA 1757-1,
VIGILANCE-VUL-8571
http://vigilance.fr/vulnerability/Auth2DB-SQL-injection-8571