Bug #65495 [Nab]: no validation of session cookie values

Wed, 21 Aug 2013 07:24:17 -0700 

Edit report at https://bugs.php.net/bug.php?id=65495&edit=1

 ID:                 65495
 User updated by:    cmanley at xs4all dot nl
 Reported by:        cmanley at xs4all dot nl
 Summary:            no validation of session cookie values
 Status:             Not a bug
 Type:               Bug
 Package:            Session related
 Operating System:   linux
 PHP Version:        5.4.18
 Block user comment: N
 Private report:     N

 New Comment:

Thanks.
Is it possible to add this to the PHP Validate filters? 
That way a whole lot of PHP programmers (and noobs) won't have to reinvent the 
validation wheel, if they perform any validating at all.

I'm busy making a stricter validation filter that also takes into account the 
values of session.hash_function and session.hash_bits_per_character.


Previous Comments:
------------------------------------------------------------------------
[2013-08-21 14:18:34] johan...@php.net

It is the job of the handler to validate session IDs. the default file handler 
uses this whitelist:

    for (p = key; (c = *p); p++) {
       /* valid characters are a..z,A..Z,0..9 */
       if (!((c >= 'a' && c <= 'z')
               || (c >= 'A' && c <= 'Z')
               || (c >= '0' && c <= '9')
               || c == ','
               || c == '-')) {
           ret = FAILURE;
           break;
       }
  }

See 
http://lxr.php.net/xref/PHP_TRUNK/ext/session/session.c#php_session_valid_key

------------------------------------------------------------------------
[2013-08-21 13:49:03] cmanley at xs4all dot nl

Description:
------------
PHP doesn't validate the session id cookie name. Hackers can manipulate it's 
value 
and try to overwrite non-session files in sites where custom file based session 
handlers are used. 
I use database based handlers, so it doesn't apply to me, but I was surprised 
to 
see that PHP let the cookie in that I manipulated.


Test script:
---------------
This is debugging from my session handler showing the methods called and 
arguments with my illegal cookie value 
'../../../../../../../../var/www/site.com/htdocs/index.php'

SessionManagerPDO::_open('/var/lib/php5', 'PHPSESSID')

SessionManagerPDO::_read('../../../../../../../../var/www/site.com/htdocs/index.php')
 
(returns empty string because it finds no row)

SessionManagerPDO::_write('../../../../../../../../var/www/site.com/htdocs/index.php',
 [0 bytes, md5=d41d8cd98f00b204e9800998ecf8427e]) 
(attempts to insert new row into database, but dies because session_id field is 
too wide)




------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=65495&edit=1

Reply via email to