Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91885 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 65089 invoked from network); 24 Mar 2016 04:18:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Mar 2016 04:18:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.49 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.213.49 mail-vk0-f49.google.com Received: from [209.85.213.49] ([209.85.213.49:35816] helo=mail-vk0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0D/A3-36618-6AA63F65 for ; Wed, 23 Mar 2016 23:18:46 -0500 Received: by mail-vk0-f49.google.com with SMTP id e6so44698317vkh.2 for ; Wed, 23 Mar 2016 21:18:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=7092/0EgcLEYffsjJKQcIAVNduPyRDCy768QZg3+aJs=; b=i32TcY/MNR9TjmcMHZvxp/53KQnCfjVvK8Noi4jbNvnaHrCAP4tYT966T/UUTU9Kbo ycpXK5/ctiKcBSpy8/c7mYupM1DW6Hmzg0icMgn/cR3L+1Sn1O7VLTRmGe57FN6PmdjA efMUai0D8SQBzYyTeGKX9g5QN9gE4U8iuWgvCrEkfygUiDSYTn/Hb5kxypJDuZM4H0cZ sUKZsZ5/IvUhF2lBnYyFT+hOoDXryQsQFT4gfKN4RcA+HjtD0bNh46PZybfsFWfeoWCm yYdn2j2VYtpIfx1bpYN4jJQ8sRIsjbYYlWKNyX3dPrvJbHvQBq+1vBZaVTOcZfOrPMuk /HLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=7092/0EgcLEYffsjJKQcIAVNduPyRDCy768QZg3+aJs=; b=kQuHJiBA8+MXDAAWCG8s/nCJprCIDchq9jU9Cmauf0YSfKSKvTfcOD4iCmDfdwnRNw BDiiph7hGZ0dkPElWtPMwz84ZAmDG/M/PN2BgqA1sBRuLB9FHB2YII8OSZR7EbTGvSWd uuNBq88eAuarrZuhvdezyJQMRftBhs+y1Hk6LgvSfRLNQAyGIq1xEse7IwQqT+TZKMB/ vLmbn9Y1Zn3WL6gATuHs+XBu6qb3Cf9n2d3M8LnccH0QXUMcfo3H2RiiQi7bkV74XYBc iqQIEPs+HwuGHzHSP8cjFixOHFKu0Ff8Ir1exuzScZkBEdHP7aWssb6Gfq+9BeDGQDt0 8Y9w== X-Gm-Message-State: AD7BkJLcA8n5uve9X3RYLgdsTL9Aqm0zol6Vv1XGgOCK8h5tiAvuuIJa3eMe096A+GGiO0Wicq0J2DtAxFdMXQ== X-Received: by 10.159.38.13 with SMTP id 13mr145675uag.104.1458793122966; Wed, 23 Mar 2016 21:18:42 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.159.40.98 with HTTP; Wed, 23 Mar 2016 21:18:03 -0700 (PDT) In-Reply-To: References: Date: Thu, 24 Mar 2016 13:18:03 +0900 X-Google-Sender-Auth: E5b6kyhKv09y9WWIsQVcADs6KGw Message-ID: To: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [RFC][Discussion] Precise session data management From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi all, On Thu, Mar 24, 2016 at 11:34 AM, Yasuo Ohgaki wrote: > We have to come up with other solutions for > > - Session loss by race conditions > - Method to make session abuse harder I'll explain how attacker can steal PHP sessions forever with current session module. There are multiple serious issues in current session management. I suppose this makes difficult to understand what wrong with current session. Any stolen session is not acceptable, but I'll focus cases only that allows session abuse forever to make discussion simpler. ** Exploit 1 ** Attack adoptive session management Internet RFC does not define cookie precedence for multiple outstanding cookies. Therefore, when multiple cookies for "httponly", "secure", web site domain names, web app path are set, it's up to browser implementation which cookie is sent to browser. Attacker can set undeletable cookie by using this behavior. i.e. Simple Set-cookie cannot delete nor update session ID cookie, but attacker's session ID stay as outstanding session ID cookie forever. If you experiment how browsers behave, you'll be surprised how easy to set undeletable cookie by single XSS. You'll be surprised how some browsers manage cookie by insane way also. Requirement "session.use_strict_mode=0". This is the default Note "session.use_strict_mode=1" can mitigate issue a little, but remained risk is not acceptable. Attacker may use next attack method explained to keep active session (to avoid GC). "session.use_strict_mode=1" creates client side race condition also. This results in lost sessions on occasion. ** Exploit 2 ** Attack static session ID Stealing active session is easy especially when physical access to device is possible. It's just a matter of displaying cookies for a website and take picture, then abuse. When https is not used, stealing active session ID is trivial by ARP spoofing, evil twins, etc. Even if https is used, setting up https stripping proxy is trivial and HSTS is not used widely. Attackers can keep active session forever by accessing stolen session periodically before GC. Requirement Application that does not call session_regenerate_id() after login and has no expiration period for active sessions. In addition, PHP does not have any attack detection for these attacks while precise session management proposal does. Inclusion, if I were attacker, I would say attacking PHP session is easy and safe (undetectable) by poor session management. Let's discuss how we are going to address these issues and fix them. My opinion is "PHP's session manager must be safe against these attacks by default/out of the box. Users should not have to write code and manage basic session status". Those who were vote against the proposal, please let me know which part of my RFC is not good enough at least, better proposal is appreciated of course. Thank you. -- Yasuo Ohgaki yohgaki@ohgaki.net