SQL Injection in alexedwards/scs

Valid

Reported on

May 24th 2022


Description

A SQL Injection in rqlite store

Proof of Concept

use example code

package main

import (
    "io"
    "log"
    "net/http"

    "github.com/alexedwards/scs/rqlitestore"
    "github.com/alexedwards/scs/v2"
    "github.com/rqlite/gorqlite"
)

var sessionManager *scs.SessionManager

func main() {
    // Establish connection to rqlite.
    conn, err := gorqlite.Open("http://localhost:4001/")
    if err != nil {
        log.Fatal(err)
    }
    defer conn.Close()

    // Initialize a new session manager and configure it to use rqlitestore as the session store.
    sessionManager = scs.New()
    sessionManager.Store = rqlitestore.New(conn)

    mux := http.NewServeMux()
    mux.HandleFunc("/put", putHandler)
    mux.HandleFunc("/get", getHandler)

    http.ListenAndServe(":4000", sessionManager.LoadAndSave(mux))
}

func putHandler(w http.ResponseWriter, r *http.Request) {
    sessionManager.Put(r.Context(), "message", "Hello from a session!")
}

func getHandler(w http.ResponseWriter, r *http.Request) {
    msg := sessionManager.GetString(r.Context(), "message")
    io.WriteString(w, msg)
}

use ' or '1'='1 as token, then access /get a debug view looks like this

Impact

extract data or login as admin (basic vulnerabilities a SQL Injection has, more severely since it happens in a session middleware)

We are processing your report and will contact the alexedwards/scs team within 24 hours. a month ago
cokebeer modified the report
a month ago
We have contacted a member of the alexedwards/scs team and are waiting to hear back a month ago
We have sent a follow up to the alexedwards/scs team. We will try again in 7 days. a month ago
Alex Edwards validated this vulnerability a month ago
cokebeer has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Edwards confirmed that a fix has been merged on d93ace a month ago
The fix bounty has been dropped
to join this conversation