php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #61206 Current open_basedir use allows session hijacking
Submitted: 2012-02-29 00:58 UTC Modified: 2021-03-12 11:15 UTC
Votes:4
Avg. Score:4.0 ± 1.0
Reproduced:3 of 4 (75.0%)
Same Version:2 (66.7%)
Same OS:1 (33.3%)
From: bk2 at me dot com Assigned:
Status: Suspended Package: Safe Mode/open_basedir
PHP Version: 5.3.10 OS: *nix
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bk2 at me dot com
New email:
PHP Version: OS:

 

 [2012-02-29 00:58 UTC] bk2 at me dot com 
Description:
------------
open_basedir, which only exists because of harmful scripts, is 
not correctly implemented.

At present, a session wont start unless its /tmp folder is listed in open_basedir.

So one has to DELIBERATELY ALLOW ALL SCRIPTS TO ACCESS SESSION INFORMATION.
or have no sessions.

One cannot set open_basedir to /everyFolderExceptSensitiveSystemSessionFolder.

So
1) The most naive harmful script can delete all sessions constantly
2) A slightly smarter harmful script can deduce session identifier, which 
in turn can hijack any active session and bypass any log in security.

Test script:
---------------
Run start_session with open_basedir set NOT to include 
session temp folder (which defaults to /tmp)


Expected result:
----------------
Session works securely, session data protected from harmful scripts.

Actual result:
--------------
Session is insecure, data accessible to any harmful script.

or

Sessions don't work at all.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-12 18:15 UTC] tyrael@php.net 
Sessions will only work, if the session save path is writable.
If the session save path is not checked against the open_basedir, it means that an attacker can bypass the open_basedir through the session handler.

As far as I can understand you would like change the current implementation so that the default session handler doesn't check the paths alloweb by the open_basedir directive, but everything else would, so no php would be allowed to access the session files.

As I mentioned before, this would make it possible to write arbitrary files outside of the ones allowed by open_basedir, and it would also potentially break a bunch of custom session handlers in the wild, which uses the session_save_path to write out their session files.

This would be a major change, requiring some discussion before, so if you still think that this is a good idea, please start a thread on the internals mailing list.

ps: removing the Private report flag, because this is a widely known limitation of the current session handler.
 [2021-03-12 11:15 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2021-03-12 11:15 UTC] cmb@php.net 
If anybody feels strongly that the current behavior should be
changed, please pursue the RFC process[1].  For the time being, I
suspend this ticket.

[1] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved. 		Last updated: Sat Sep 23 10:01:24 2023 UTC