php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #61206 Current open_basedir use allows session hijacking
Submitted: 2012-02-29 00:58 UTC Modified: 2021-03-12 11:15 UTC
Votes:4
Avg. Score:4.0 ± 1.0
Reproduced:3 of 4 (75.0%)
Same Version:2 (66.7%)
Same OS:1 (33.3%)
From: bk2 at me dot com Assigned:
Status: Suspended Package: Safe Mode/open_basedir
PHP Version: 5.3.10 OS: *nix
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bk2 at me dot com
New email:
PHP Version: OS:

 

 [2012-02-29 00:58 UTC] bk2 at me dot com
Description:
------------
open_basedir, which only exists because of harmful scripts, is 
not correctly implemented.

At present, a session wont start unless its /tmp folder is listed in open_basedir.

So one has to DELIBERATELY ALLOW ALL SCRIPTS TO ACCESS SESSION INFORMATION.
or have no sessions.

One cannot set open_basedir to /everyFolderExceptSensitiveSystemSessionFolder.

So
1) The most naive harmful script can delete all sessions constantly
2) A slightly smarter harmful script can deduce session identifier, which 
in turn can hijack any active session and bypass any log in security.

Test script:
---------------
Run start_session with open_basedir set NOT to include 
session temp folder (which defaults to /tmp)


Expected result:
----------------
Session works securely, session data protected from harmful scripts.

Actual result:
--------------
Session is insecure, data accessible to any harmful script.

or

Sessions don't work at all.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-12 18:15 UTC] tyrael@php.net
Sessions will only work, if the session save path is writable.
If the session save path is not checked against the open_basedir, it means that an attacker can bypass the open_basedir through the session handler.

As far as I can understand you would like change the current implementation so that the default session handler doesn't check the paths alloweb by the open_basedir directive, but everything else would, so no php would be allowed to access the session files.

As I mentioned before, this would make it possible to write arbitrary files outside of the ones allowed by open_basedir, and it would also potentially break a bunch of custom session handlers in the wild, which uses the session_save_path to write out their session files.

This would be a major change, requiring some discussion before, so if you still think that this is a good idea, please start a thread on the internals mailing list.

ps: removing the Private report flag, because this is a widely known limitation of the current session handler.
 [2021-03-12 11:15 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2021-03-12 11:15 UTC] cmb@php.net
If anybody feels strongly that the current behavior should be
changed, please pursue the RFC process[1].  For the time being, I
suspend this ticket.

[1] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 14:01:32 2024 UTC