SQL Injection accept-language php

Question

I'm working through a security assessment report on a php app generated by Accunetix.

The report is claiming a SQL Injection vulnerability. The app is PHP with MySQL. Here's the headers it says are making the attack (specifically the accept-language header):

GET /user_login.php HTTP/1.1
user-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
accept-language: 1;select pg_sleep(1); --
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=35kno6h8kmkbin973q02gojp82; uniqueuser=1382404387
Host: xxx.xxx.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate

I haven't found "accept-language" or "accept_language" anywhere in the app. Also, pg_sleep() isn't a MySQL function.

I searched for a known vulnerability in PHP and didn't find anything. Is this a false positive, or am I missing something?

Answer 1

Accept-Language is the request header sent by client's browser.

Accunetix were trying to manipulate these headers by injecting malicious code to find security wholes (imitating hackers) to test if you application is vulnerable to them.

If you haven't used accept-language header, or request headers in your DB queries, then probably it is a false positive. To make sure, see the response of that request, if the response is normal, then it is all OK.

Answer 2

The code will probably treat that header as a source for selecting the language, an that is done via a database query. And when generating the query, the contents of the HTTP header are improperly parsed.

The reason for you not seeing this might be because the fetching of the HTTP headers is done indirectly (like in $_SERVER[$language_header]).