HTTP::Session2 Code Injection Vulnerability in Perl

A code injection vulnerability has been identified in HTTP::Session2 for Perl, affecting versions through 1.09. The issue arises because the library does not properly validate user-provided session IDs. This lack of validation can lead to code injection or other impacts, depending on the session storage backend used. For instance, if memcached is employed for session storage, a remote attacker might inject memcached commands through the session ID.

Impact

Exploitation of this vulnerability could allow for code injection, with the potential for more severe consequences depending on the session storage backend.

Reproduction

The vulnerability can be reproduced by setting a session ID that includes invalid characters, such as those outside the standard printable ASCII range. This can be done by manually crafting a request that includes the malformed session ID in the cookie header. Once the request is processed by the server, the injected commands can be executed if the application uses a vulnerable session storage backend, like memcached.

Remediation

Users are advised to upgrade to HTTP::Session2 version 1.10 or later, and to use a session storage module that protects against command injection, such as Cache::Memcached::Fast::Safe. However, since HTTP::Session2 has been deprecated, users should migrate to a different solution.