Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-96C6-M98X-HXJX
HistoryJun 07, 2024 - 9:25 p.m.

Zend-Session session validation vulnerability

2024-06-0721:25:23
CWE-384
GitHub Advisory Database
github.com
3
zend-session
session validation
vulnerability
remoteaddr
httpuseragent
metadata reset
bypass

6.7 Medium

AI Score

Confidence

Low

JSON

Zend\Session session validators do not work as expected if set prior to the start of a session.

For instance, the following test case fails (where $this->manager is an instance of Zend\Session\SessionManager):

$this
    ->manager
    ->getValidatorChain()
    ->attach('session.validate', array(new RemoteAddr(), 'isValid'));

$this->manager->start();

$this->assertSame(
    array(
        'Zend\Session\Validator\RemoteAddr' =3D> '',
    ),
    $_SESSION['__ZF']['_VALID']
);

The implication is that subsequent calls to Zend\Session\SessionManager#start() (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.

An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the “signature” that these validators check against is not being stored in the session.

Affected configurations

Vulners
Node
zendframeworkzend-sessionRange<2.3.4
OR
zendframeworkzend-sessionRange<2.2.9

References

6.7 Medium

AI Score

Confidence

Low

JSON