Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:56296
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain yahoo.co.jp designates 114.111.99.167 as permitted sender)
DomainKey-Status: bad
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=yj20110701; d=yahoo.co.jp;
  h=Received:X-Apparently-From:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
  b=lAGiZzOq0lFWI3ZIoCKYTIGkG/veRpjvI7LuFQxop7oWC1kAaqHcND9clSa4STWtvaNU25+M6fi4dUZC2P06kMG2dZ0IAit3YBuQkkY6371cHwhqdEuqN1ESpHAxphctaubnUr5xhInzWZ6okv8UyJoQsQ9NoqKoaXW3wOZlRtU=  ;
Message-ID: <4EBDC283.3040700@yahoo.co.jp>
Date: Sat, 12 Nov 2011 09:49:07 +0900
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAGa2bXYDbDnTi1aF4Ts9oShyy=2NKPaTc34_+Hg7ZN0v+_MGSQ@mail.gmail.com>
In-Reply-To: <CAGa2bXYDbDnTi1aF4Ts9oShyy=2NKPaTc34_+Hg7ZN0v+_MGSQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Strict session?
From: rui_hirokawa@yahoo.co.jp (Rui Hirokawa)


Hi,

I strongly recommend to submit the Strict session patch for
php-src(HEAD) because the vulnerability of PHP against the session
adoption/fixation attack is annoying issue of the PHP programmers for
many years.

I also suggest to apply this patch for PHP_5_4 after PHP 5.4.0 is
released. For PHP 5.4.1, I suggest that the default value of
session.use_strict_mode should be 0 (Off) to maintain the backward
compatibility.

Rui

Yasuo Ohgaki wrote:
> Hi all,
> 
> Few years ago, I have proposed strict session.
> It seems PHP 5.4 and php-src don't have protection against session
> adoption yet.
> 
> Since there will be many TLDs, session adoption attack will be
> very easy for some domains until browsers support them.
> Even without new TLDs, attacker may place cookie file to attack
> session adoption or can exploit paths or domains, since there is no
> standard for precedence.
> 
> e.g. Domain has more precedence over path on Chrome while
> path has greater precedence on IE. This is due to the order difference
> of sent cookies. (If there are multiple cookies are set for domain/path, only
> one became the outstanding cookie. I think PHP uses first IIRC while other
> implementation may use the last. Therefore, browser may not able to
> solve this issue, since it may destroy apps specific to browser)
> 
> Even if a programmer sets path and domain for PHP session id cookie,
> attackers may exploit this to fix session id with session managers that are
> vulnerable to session adoption.
> 
> If you don't get idea, play with cookie with/without domain/path is set/unset.
> You'll see how attacker may use session adoption. Default session module's
> configuration (domain not set, path set to /) is very easy to exploit anyway.
> 
> I usually set both exact application domain/path, and unset all domain/path
> cookies for session id to prevent the attack. I guess this is not
> widely adopted.
> Even this is not enough. For example, if subdomain is added, Chrome has
> greater precedence for subdomain and attacker may exploit it.
> 
> I pasted a patch for PHP 5.2 that rejects uninitialized session id. I
> think original
> patch was written by Stefan Esser. It is for PHP 5.2, but it's easy to port to
> current PHP. If one would like to old behavior, he/she can just turn off the
> strict session.
> 
> There are too many ways to exploit session with session adoption vulnerable
> session manger. Simple solution is making session manager strict.
> 
> Any comments?
> 
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
> 
>