php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65495 no validation of session cookie values
Submitted: 2013-08-21 13:49 UTC Modified: 2013-08-21 15:02 UTC
From: cmanley at xs4all dot nl Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.4.18 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cmanley at xs4all dot nl
New email:
PHP Version: OS:

 

 [2013-08-21 13:49 UTC] cmanley at xs4all dot nl 
Description:
------------
PHP doesn't validate the session id cookie name. Hackers can manipulate it's value 
and try to overwrite non-session files in sites where custom file based session 
handlers are used. 
I use database based handlers, so it doesn't apply to me, but I was surprised to 
see that PHP let the cookie in that I manipulated.


Test script:
---------------
This is debugging from my session handler showing the methods called and arguments with my illegal cookie value '../../../../../../../../var/www/site.com/htdocs/index.php'

SessionManagerPDO::_open('/var/lib/php5', 'PHPSESSID')

SessionManagerPDO::_read('../../../../../../../../var/www/site.com/htdocs/index.php') 
(returns empty string because it finds no row)

SessionManagerPDO::_write('../../../../../../../../var/www/site.com/htdocs/index.php', [0 bytes, md5=d41d8cd98f00b204e9800998ecf8427e]) 
(attempts to insert new row into database, but dies because session_id field is too wide)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-21 14:18 UTC] johannes@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2013-08-21 14:18 UTC] johannes@php.net 
It is the job of the handler to validate session IDs. the default file handler uses this whitelist:

    for (p = key; (c = *p); p++) {
       /* valid characters are a..z,A..Z,0..9 */
       if (!((c >= 'a' && c <= 'z')
               || (c >= 'A' && c <= 'Z')
               || (c >= '0' && c <= '9')
               || c == ','
               || c == '-')) {
           ret = FAILURE;
           break;
       }
  }

See http://lxr.php.net/xref/PHP_TRUNK/ext/session/session.c#php_session_valid_key
 [2013-08-21 14:22 UTC] cmanley at xs4all dot nl 
Thanks.
Is it possible to add this to the PHP Validate filters? 
That way a whole lot of PHP programmers (and noobs) won't have to reinvent the 
validation wheel, if they perform any validating at all.

I'm busy making a stricter validation filter that also takes into account the 
values of session.hash_function and session.hash_bits_per_character.
 [2013-08-21 15:02 UTC] johannes@php.net 
It is an interoperability feature that the session functionality is open. You can use a custom save-handler and serialization handler (like wddx) to share session data with non-PHP systems. Enforcing stricter checks might limit this interoperability, especially as a general check must be very restrictive.

An option might be to have the general check optional, but then we still have to do double checking in the default handlers in order to be always secure.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun May 19 03:01:33 2024 UTC