Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-96C6-M98X-HXJX
HistoryJun 07, 2024 - 9:25 p.m.

Zend-Session session validation vulnerability

2024-06-0721:25:23
Google
osv.dev
3
zend-session
vulnerability
session-validation
remoteaddr
httpuseragent
metadata
attack
software

AI Score

6.7

Confidence

Low

JSON

Zend\Session session validators do not work as expected if set prior to the start of a session.

For instance, the following test case fails (where $this->manager is an instance of Zend\Session\SessionManager):

$this
    ->manager
    ->getValidatorChain()
    ->attach('session.validate', array(new RemoteAddr(), 'isValid'));

$this->manager->start();

$this->assertSame(
    array(
        'Zend\Session\Validator\RemoteAddr' =3D> '',
    ),
    $_SESSION['__ZF']['_VALID']
);

The implication is that subsequent calls to Zend\Session\SessionManager#start() (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.

An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the β€œsignature” that these validators check against is not being stored in the session.

References

AI Score

6.7

Confidence

Low

JSON