Security

Security Advisory: ZF2015-01

ZF2015-01: Session validation vulnerability

Zend\Session session validators do not work as expected if set prior to the start of a session.

For instance, the following test case fails (where $this->manager is an instance of Zend\Session\SessionManager):

$this
    ->manager
    ->getValidatorChain()
    ->attach('session.validate', array(new RemoteAddr(), 'isValid'));

$this->manager->start();

$this->assertSame(
    array(
        'Zend\Session\Validator\RemoteAddr' =3D> '',
    ),
    $_SESSION['__ZF']['_VALID']
);

The implication is that subsequent calls to Zend\Session\SessionManager#start() (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.

An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the "signature" that these validators check against is not being stored in the session.

Action Taken

We now store the signature of the validators in the session immediately following the call to session_start(), preventing any data loss from session validators.

The patch fixing the issue has been applied in the following versions:

  • Zend Framework 2.2.9
  • Zend Framework 2.3.4

Recommendations

If you are using session validators, we recommend upgrading immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Released 2015-01-14

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts