Zendframework session validation vulnerability

2024-06-0720:20:21

Google

osv.dev

zendframework

session

validation

vulnerability

remoteaddr

httpuseragent

metadata

attackers

software.

AI Score

6.7

Confidence

Low

JSON

Zend\Session session validators do not work as expected if set prior to the start of a session.

For instance, the following test case fails (where $this->manager is an instance of Zend\Session\SessionManager):

$this
    -&gt;manager
    -&gt;getValidatorChain()
    -&gt;attach('session.validate', array(new RemoteAddr(), 'isValid'));

$this-&gt;manager-&gt;start();

$this-&gt;assertSame(
    array(
        'Zend\Session\Validator\RemoteAddr' =3D&gt; '',
    ),
    $_SESSION['__ZF']['_VALID']
);

The implication is that subsequent calls to Zend\Session\SessionManager#start() (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.

An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the “signature” that these validators check against is not being stored in the session.

References

framework.zend.com/security/advisory/ZF2015-01

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2015-01.yaml

github.com/zendframework/zendframework

github.com/zendframework/zendframework/commit/1672aee3531205e5c1a0b96d8c680124ec93db09

github.com/zendframework/zendframework/commit/282135561cbf98cc93274c57966b021fd6e051b9

github.com/zendframework/zendframework/commit/5f06a1f80a1aaeac87a46bfa9b63a5a74a14866c

github.com/zendframework/zendframework/commit/9493d725ef869e6ce7ab78167539223396fda491

github.com/zendframework/zendframework/commit/ddbf43ac3fe28fe98a4104993d0cb4bffb13a026

github.com/zendframework/zendframework/commit/f22a83c611732fbc0328f0f887bccc075be1fd56

AI Score

6.7

Confidence

Low

JSON