Edit report at https://bugs.php.net/bug.php?id=65495&edit=1
ID: 65495
Updated by: johan...@php.net
Reported by: cmanley at xs4all dot nl
Summary: no validation of session cookie values
-Status: Open
+Status: Not a bug
-Type: Security
+Type: Bug
Package: Session related
Operating System: linux
PHP Version: 5.4.18
Block user comment: N
Private report: Y
New Comment:
It is the job of the handler to validate session IDs. the default file handler
uses this whitelist:
for (p = key; (c = *p); p++) {
/* valid characters are a..z,A..Z,0..9 */
if (!((c >= 'a' && c <= 'z')
|| (c >= 'A' && c <= 'Z')
|| (c >= '0' && c <= '9')
|| c == ','
|| c == '-')) {
ret = FAILURE;
break;
}
}
See
http://lxr.php.net/xref/PHP_TRUNK/ext/session/session.c#php_session_valid_key
Previous Comments:
------------------------------------------------------------------------
[2013-08-21 13:49:03] cmanley at xs4all dot nl
Description:
------------
PHP doesn't validate the session id cookie name. Hackers can manipulate it's
value
and try to overwrite non-session files in sites where custom file based session
handlers are used.
I use database based handlers, so it doesn't apply to me, but I was surprised
to
see that PHP let the cookie in that I manipulated.
Test script:
---------------
This is debugging from my session handler showing the methods called and
arguments with my illegal cookie value
'../../../../../../../../var/www/site.com/htdocs/index.php'
SessionManagerPDO::_open('/var/lib/php5', 'PHPSESSID')
SessionManagerPDO::_read('../../../../../../../../var/www/site.com/htdocs/index.php')
(returns empty string because it finds no row)
SessionManagerPDO::_write('../../../../../../../../var/www/site.com/htdocs/index.php',
[0 bytes, md5=d41d8cd98f00b204e9800998ecf8427e])
(attempts to insert new row into database, but dies because session_id field is
too wide)
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=65495&edit=1
