Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05NmM2LW05OHgtaHhqeM4AA8zy
Zend-Session session validation vulnerability
Zend\Session session validators do not work as expected if set prior to the start of a session.
For instance, the following test case fails (where $this->manager is an instance of Zend\Session\SessionManager):
$this
->manager
->getValidatorChain()
->attach('session.validate', array(new RemoteAddr(), 'isValid'));
$this->manager->start();
$this->assertSame(
array(
'Zend\Session\Validator\RemoteAddr' =3D> '',
),
$_SESSION['__ZF']['_VALID']
);
The implication is that subsequent calls to Zend\Session\SessionManager#start() (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.
An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the "signature" that these validators check against is not being stored in the session.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NmM2LW05OHgtaHhqeM4AA8zy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-96c6-m98x-hxjx
References:
- https://github.com/zendframework/zend-session/commit/05fa95488b5ade513c4dcc56051a7ddb1c94f341
- https://github.com/zendframework/zend-session/commit/1272fc047121720130690c324413629d8f63d210
- https://github.com/zendframework/zend-session/commit/35014ab0ae17c2a169320f182697ee9fe73d841e
- https://github.com/zendframework/zend-session/commit/3b1a65b3193a4219f5c4259ab8735f9ad254a021
- https://github.com/zendframework/zend-session/commit/6a27a9fddd8f5b12b3af0de6309181ff5946dd0e
- https://github.com/zendframework/zend-session/commit/7c4b73dd64e01001946aac76c6deddfe1c6ef0be
- https://github.com/zendframework/zend-session/commit/7fc94bd6a60342416242a3899d63072c471b33d3
- https://github.com/zendframework/zend-session/commit/93b43aa0ca5348d29034f67195ffa3f4082878d5
- https://github.com/zendframework/zend-session/commit/9868f84513536446b0bac81cc95e0130b0a6fc9c
- https://github.com/zendframework/zend-session/commit/a3382bfd3067f527762294b5fc622550988e6862
- https://github.com/zendframework/zend-session/commit/b1903947e285568344b3458e4524b016ce311072
- https://github.com/zendframework/zend-session/commit/ff9236cc4c4944b5f5a6fbfee01420ef82c4fa91
- https://framework.zend.com/security/advisory/ZF2015-01
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-session/ZF2015-01.yaml
- https://github.com/advisories/GHSA-96c6-m98x-hxjx
Blast Radius: 22.9
Affected Packages
packagist:zendframework/zend-session
Dependent packages: 205Dependent repositories: 3,283
Downloads: 11,637,324 total
Affected Version Ranges: >= 2.3.0, < 2.3.4, >= 2.0.0, < 2.2.9
Fixed in: 2.3.4, 2.2.9
All affected versions: 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.3.0, 2.3.1, 2.3.2, 2.3.3
All unaffected versions: 2.2.9, 2.2.10, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.9.0, 2.9.1