Edit report at https://bugs.php.net/bug.php?id=65495&edit=1
ID: 65495
Updated by: johan...@php.net
Reported by: cmanley at xs4all dot nl
Summary: no validation of session cookie values
Status: Not a bug
Type: Bug
Package: Session related
Operating System: linux
PHP Version: 5.4.18
Block user comment: N
Private report: N
New Comment:
It is an interoperability feature that the session functionality is open. You
can use a custom save-handler and serialization handler (like wddx) to share
session data with non-PHP systems. Enforcing stricter checks might limit this
interoperability, especially as a general check must be very restrictive.
An option might be to have the general check optional, but then we still have
to do double checking in the default handlers in order to be always secure.
Previous Comments:
------------------------------------------------------------------------
[2013-08-21 14:22:59] cmanley at xs4all dot nl
Thanks.
Is it possible to add this to the PHP Validate filters?
That way a whole lot of PHP programmers (and noobs) won't have to reinvent the
validation wheel, if they perform any validating at all.
I'm busy making a stricter validation filter that also takes into account the
values of session.hash_function and session.hash_bits_per_character.
------------------------------------------------------------------------
[2013-08-21 14:18:34] johan...@php.net
It is the job of the handler to validate session IDs. the default file handler
uses this whitelist:
for (p = key; (c = *p); p++) {
/* valid characters are a..z,A..Z,0..9 */
if (!((c >= 'a' && c <= 'z')
|| (c >= 'A' && c <= 'Z')
|| (c >= '0' && c <= '9')
|| c == ','
|| c == '-')) {
ret = FAILURE;
break;
}
}
See
http://lxr.php.net/xref/PHP_TRUNK/ext/session/session.c#php_session_valid_key
------------------------------------------------------------------------
[2013-08-21 13:49:03] cmanley at xs4all dot nl
Description:
------------
PHP doesn't validate the session id cookie name. Hackers can manipulate it's
value
and try to overwrite non-session files in sites where custom file based session
handlers are used.
I use database based handlers, so it doesn't apply to me, but I was surprised
to
see that PHP let the cookie in that I manipulated.
Test script:
---------------
This is debugging from my session handler showing the methods called and
arguments with my illegal cookie value
'../../../../../../../../var/www/site.com/htdocs/index.php'
SessionManagerPDO::_open('/var/lib/php5', 'PHPSESSID')
SessionManagerPDO::_read('../../../../../../../../var/www/site.com/htdocs/index.php')
(returns empty string because it finds no row)
SessionManagerPDO::_write('../../../../../../../../var/www/site.com/htdocs/index.php',
[0 bytes, md5=d41d8cd98f00b204e9800998ecf8427e])
(attempts to insert new row into database, but dies because session_id field is
too wide)
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=65495&edit=1
