PHP's session_set_save_handler: Easy to Get Things Wrong

["Sverre H. Huseby" <shh () thathost com>]

First: This is not a vulnerability in PHP itself, but one of those
design decision that makes it easy to write vulnerable PHP
applications.

PHP allows outside users to dictate the session ID by manipulating the
PHPSESSID cookie parameter.  When a custom made session save handler
is used, the incoming ID is not validated by PHP.  PHP thus passes a
string of any length, containing any character to the custom made
handler functions.

If the programmer writing the session save handler is not aware that
the ID may be anything, the application may become vulnerable to
different kinds of attacks depending on how the session is persisted.


Details: http://shh.thathost.com/secadv/2003-05-13-php.txt


Sverre.

-- 
shh () thathost com
http://shh.thathost.com/