PHP :: Sec Bug #61206 :: Current open_basedir use allows session hijacking

Current open_basedir use allows session hijacking

Submitted:

2012-02-29 00:58 UTC

Modified:

2021-03-12 11:15 UTC

Votes:	4
Avg. Score:	4.0 ± 1.0
Reproduced:	3 of 4 (75.0%)
Same Version:	2 (66.7%)
Same OS:	1 (33.3%)

From:

bk2 at me dot com

Assigned:

Status:

Suspended

Package:

Safe Mode/open_basedir

PHP Version:

5.3.10

OS:

*nix

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bk2 at me dot com
New email:
PHP Version:		OS:

New Comment:

[2012-02-29 00:58 UTC] bk2 at me dot com

Description:
------------
open_basedir, which only exists because of harmful scripts, is 
not correctly implemented.

At present, a session wont start unless its /tmp folder is listed in open_basedir.

So one has to DELIBERATELY ALLOW ALL SCRIPTS TO ACCESS SESSION INFORMATION.
or have no sessions.

One cannot set open_basedir to /everyFolderExceptSensitiveSystemSessionFolder.

So
1) The most naive harmful script can delete all sessions constantly
2) A slightly smarter harmful script can deduce session identifier, which 
in turn can hijack any active session and bypass any log in security.

Test script:
---------------
Run start_session with open_basedir set NOT to include 
session temp folder (which defaults to /tmp)


Expected result:
----------------
Session works securely, session data protected from harmful scripts.

Actual result:
--------------
Session is insecure, data accessible to any harmful script.

or

Sessions don't work at all.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-02-12 18:15 UTC] tyrael@php.net

Sessions will only work, if the session save path is writable.
If the session save path is not checked against the open_basedir, it means that an attacker can bypass the open_basedir through the session handler.

As far as I can understand you would like change the current implementation so that the default session handler doesn't check the paths alloweb by the open_basedir directive, but everything else would, so no php would be allowed to access the session files.

As I mentioned before, this would make it possible to write arbitrary files outside of the ones allowed by open_basedir, and it would also potentially break a bunch of custom session handlers in the wild, which uses the session_save_path to write out their session files.

This would be a major change, requiring some discussion before, so if you still think that this is a good idea, please start a thread on the internals mailing list.

ps: removing the Private report flag, because this is a widely known limitation of the current session handler.

[2021-03-12 11:15 UTC] cmb@php.net

-Status: Open +Status: Suspended

[2021-03-12 11:15 UTC] cmb@php.net

If anybody feels strongly that the current behavior should be
changed, please pursue the RFC process[1].  For the time being, I
suspend this ticket.

[1] <https://wiki.php.net/rfc/howto>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 00:01:30 2024 UTC