Zend\Session
session validators do not work as expected if set prior to the start of a session.
For instance, the following test case fails (where $this->manager
is an instance of Zend\Session\SessionManager
):
$this
->manager
->getValidatorChain()
->attach('session.validate', array(new RemoteAddr(), 'isValid'));
$this->manager->start();
$this->assertSame(
array(
'Zend\Session\Validator\RemoteAddr' =3D> '',
),
$_SESSION['__ZF']['_VALID']
);
The implication is that subsequent calls to Zend\Session\SessionManager#start()
(in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.
An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the βsignatureβ that these validators check against is not being stored in the session.
framework.zend.com/security/advisory/ZF2015-01
github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2015-01.yaml
github.com/zendframework/zendframework
github.com/zendframework/zendframework/commit/1672aee3531205e5c1a0b96d8c680124ec93db09
github.com/zendframework/zendframework/commit/282135561cbf98cc93274c57966b021fd6e051b9
github.com/zendframework/zendframework/commit/5f06a1f80a1aaeac87a46bfa9b63a5a74a14866c
github.com/zendframework/zendframework/commit/9493d725ef869e6ce7ab78167539223396fda491
github.com/zendframework/zendframework/commit/ddbf43ac3fe28fe98a4104993d0cb4bffb13a026
github.com/zendframework/zendframework/commit/f22a83c611732fbc0328f0f887bccc075be1fd56