Zend\Session session validators do not work as expected if set prior to the
start of a session.
For instance, the following test case fails (where $this->manager is an
instance of Zend\Session\SessionManager):
$this
->manager
->getValidatorChain()
->attach('session.validate', array(new RemoteAddr(), 'isValid'));
$this->manager->start();
$this->assertSame(
array(
'Zend\Session\Validator\RemoteAddr' =3D> '',
),
$_SESSION['__ZF']['_VALID']
);
The implication is that subsequent calls to
Zend\Session\SessionManager#start() (in later requests, assuming a session was
created) will not have any validator metadata attached, which causes any
validator metadata to be re-built from scratch, thus marking the session as
valid.
An attacker is thus able to simply ignore session validators such as RemoteAddr
or HttpUserAgent, since the "signature" that these validators check against is
not being stored in the session.
We now store the signature of the validators in the session immediately
following the call to session_start(), preventing any data loss from session
validators.
The patch fixing the issue has been applied in the following versions:
If you are using session validators, we recommend upgrading immediately.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Released 2015-01-14
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com