php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #61206 Current open_basedir use allows session hijacking
Submitted: 2012-02-29 00:58 UTC Modified: 2014-02-12 18:15 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: bk2 at me dot com Assigned:
Status: Open Package: Safe Mode/open_basedir
PHP Version: 5.3.10 OS: *nix
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
12 + 42 = ?
Subscribe to this entry?

 
 [2012-02-29 00:58 UTC] bk2 at me dot com
Description:
------------
open_basedir, which only exists because of harmful scripts, is 
not correctly implemented.

At present, a session wont start unless its /tmp folder is listed in open_basedir.

So one has to DELIBERATELY ALLOW ALL SCRIPTS TO ACCESS SESSION INFORMATION.
or have no sessions.

One cannot set open_basedir to /everyFolderExceptSensitiveSystemSessionFolder.

So
1) The most naive harmful script can delete all sessions constantly
2) A slightly smarter harmful script can deduce session identifier, which 
in turn can hijack any active session and bypass any log in security.

Test script:
---------------
Run start_session with open_basedir set NOT to include 
session temp folder (which defaults to /tmp)


Expected result:
----------------
Session works securely, session data protected from harmful scripts.

Actual result:
--------------
Session is insecure, data accessible to any harmful script.

or

Sessions don't work at all.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-12 18:15 UTC] tyrael@php.net
Sessions will only work, if the session save path is writable.
If the session save path is not checked against the open_basedir, it means that an attacker can bypass the open_basedir through the session handler.

As far as I can understand you would like change the current implementation so that the default session handler doesn't check the paths alloweb by the open_basedir directive, but everything else would, so no php would be allowed to access the session files.

As I mentioned before, this would make it possible to write arbitrary files outside of the ones allowed by open_basedir, and it would also potentially break a bunch of custom session handlers in the wild, which uses the session_save_path to write out their session files.

This would be a major change, requiring some discussion before, so if you still think that this is a good idea, please start a thread on the internals mailing list.

ps: removing the Private report flag, because this is a widely known limitation of the current session handler.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Jul 19 04:01:25 2019 UTC