php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65495 no validation of session cookie values
Submitted: 2013-08-21 13:49 UTC Modified: 2013-08-21 15:02 UTC
From: cmanley at xs4all dot nl Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.4.18 OS: linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmanley at xs4all dot nl
New email:
PHP Version: OS:

 

 [2013-08-21 13:49 UTC] cmanley at xs4all dot nl 
Description:
------------
PHP doesn't validate the session id cookie name. Hackers can manipulate it's value 
and try to overwrite non-session files in sites where custom file based session 
handlers are used. 
I use database based handlers, so it doesn't apply to me, but I was surprised to 
see that PHP let the cookie in that I manipulated.


Test script:
---------------
This is debugging from my session handler showing the methods called and arguments with my illegal cookie value '../../../../../../../../var/www/site.com/htdocs/index.php'

SessionManagerPDO::_open('/var/lib/php5', 'PHPSESSID')

SessionManagerPDO::_read('../../../../../../../../var/www/site.com/htdocs/index.php') 
(returns empty string because it finds no row)

SessionManagerPDO::_write('../../../../../../../../var/www/site.com/htdocs/index.php', [0 bytes, md5=d41d8cd98f00b204e9800998ecf8427e]) 
(attempts to insert new row into database, but dies because session_id field is too wide)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-21 14:18 UTC] johannes@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2013-08-21 14:18 UTC] johannes@php.net 
It is the job of the handler to validate session IDs. the default file handler uses this whitelist:

    for (p = key; (c = *p); p++) {
       /* valid characters are a..z,A..Z,0..9 */
       if (!((c >= 'a' && c <= 'z')
               || (c >= 'A' && c <= 'Z')
               || (c >= '0' && c <= '9')
               || c == ','
               || c == '-')) {
           ret = FAILURE;
           break;
       }
  }

See http://lxr.php.net/xref/PHP_TRUNK/ext/session/session.c#php_session_valid_key
 [2013-08-21 14:22 UTC] cmanley at xs4all dot nl 
Thanks.
Is it possible to add this to the PHP Validate filters? 
That way a whole lot of PHP programmers (and noobs) won't have to reinvent the 
validation wheel, if they perform any validating at all.

I'm busy making a stricter validation filter that also takes into account the 
values of session.hash_function and session.hash_bits_per_character.
 [2013-08-21 15:02 UTC] johannes@php.net 
It is an interoperability feature that the session functionality is open. You can use a custom save-handler and serialization handler (like wddx) to share session data with non-PHP systems. Enforcing stricter checks might limit this interoperability, especially as a general check must be very restrictive.

An option might be to have the general check optional, but then we still have to do double checking in the default handlers in order to be always secure.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Nov 21 05:00:01 2025 UTC