SQL Injection in alexedwards/scs

Valid

Reported on

May 24th 2022


Description

A SQL Injection in rqlite store

Proof of Concept

use example code

package main

import (
    "io"
    "log"
    "net/http"

    "github.com/alexedwards/scs/rqlitestore"
    "github.com/alexedwards/scs/v2"
    "github.com/rqlite/gorqlite"
)

var sessionManager *scs.SessionManager

func main() {
    // Establish connection to rqlite.
    conn, err := gorqlite.Open("http://localhost:4001/")
    if err != nil {
        log.Fatal(err)
    }
    defer conn.Close()

    // Initialize a new session manager and configure it to use rqlitestore as the session store.
    sessionManager = scs.New()
    sessionManager.Store = rqlitestore.New(conn)

    mux := http.NewServeMux()
    mux.HandleFunc("/put", putHandler)
    mux.HandleFunc("/get", getHandler)

    http.ListenAndServe(":4000", sessionManager.LoadAndSave(mux))
}

func putHandler(w http.ResponseWriter, r *http.Request) {
    sessionManager.Put(r.Context(), "message", "Hello from a session!")
}

func getHandler(w http.ResponseWriter, r *http.Request) {
    msg := sessionManager.GetString(r.Context(), "message")
    io.WriteString(w, msg)
}

use ' or '1'='1 as token, then access /get a debug view looks like this

Impact

extract data or login as admin (basic vulnerabilities a SQL Injection has, more severely since it happens in a session middleware)

We are processing your report and will contact the alexedwards/scs team within 24 hours. a year ago
cokebeer modified the report
a year ago
We have contacted a member of the alexedwards/scs team and are waiting to hear back a year ago
We have sent a follow up to the alexedwards/scs team. We will try again in 7 days. a year ago
Alex Edwards validated this vulnerability a year ago
cokebeer has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Edwards marked this as fixed in d93ace5be94bc476d79a2b818ae6579fa76e5a59 with commit d93ace a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation