[Full-disclosure] Advisory 01/2006: PHP ext/session HTTP Response Splitting Vulnerability
sesser at hardened-php.net
Thu Jan 12 16:35:28 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
-= Security Advisory =-
Advisory: PHP ext/session HTTP Response Splitting Vulnerability
Release Date: 2006/01/12
Last Modified: 2006/01/12
Author: Stefan Esser [sesser at hardened-php.net]
Application: PHP5 <= 5.1.1
Not Affected: PHP4
PHP5 with Hardening-Patch
Severity: PHP applications using PHP5's session extension are
vulnerable to HTTP Response Splitting attacks
Vendor Status: Vendor has released a bugfixed version
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
During the development of the Hardening-Patch which adds security
hardening features to the PHP codebase, several vulnerabilities
within PHP were discovered. This advisory describes one of these
flaws concerning a weakness in the session extension.
Since PHP5 a user supplied session ID is sent back to the user within
a Set-Cookie HTTP header. Because there were no checks performed on
the validity of this session id, it was possible to inject arbitrary
HTTP headers into the response body of applications using PHP's
builtin session functionality by supplying a special crafted session
This can be used to perform HTTP Response Splitting and Cross Site
Scripting (XSS) attacks on all applications using the session
PHP's own session functionality is using a so-called permissive
system to accept any kind of user supplied session ID. While this is
often criticized as the cause of easier session fixation attacks
against PHP applications, it also means that the session ID has to be
considered as user input in PHP applications.
Therefore it is up to the PHP application to decide if it accepts
the supplied session ID or rejects it because of f.e. not accepted
Until PHP5 the built-in session extension assumes that a user
supplied session ID is already known on the client side and therefore
it is not sent back to the client within a cookie. This behaviour
has changed in PHP5 and because there was no additional checks
added, this enables an attacker to inject anything he wants into the
Set-Cookie HTTP header. This obviously leads to HTTP Response
Splitting vulnerabilities in all applications using PHP's built-in
By simply terminating the HTTP headers from within the Set-Cookie
HTTP header it is of course possible to inject part of the request
body and perform all kinds of Cross Site Scripting (XSS) attacks.
Because PHP's default session storage module, files, will issue a PHP
warning that a session ID with illegal characters was used, this is
not exploitable in some situations where output buffering is switched
off (on server and in the application), the files module is used and
PHP is configured to display warnings.
This means the recommended settings for PHP webservers are vulnerable
and because at least one of the conditions above are not met on nearly
all production servers, most PHP servers are vulnerable to this.
PHP servers using our Hardening-Patch are not vulnerable to this
because they ship with a HTTP Response Splitting protection enabled
by default and also use a strict session ID mode, which disallows all
session IDs not created by PHP itself.
Proof of Concept:
The Hardened-PHP project is not going to release exploits for this
vulnerability to the public.
It is strongly recommended to upgrade to the latest appropriate PHP
release as soon as possible. On the one hand there are also other
fixes in it and on the other hand it finally comes with a HTTP
Response Splitting protection.
Additionally we always recommend to run PHP with the Hardening-Patch
applied, because this vulnerability once again proved that our users
are protected against unknown vulnerabilities before they become
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2006 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
Full-Disclosure is hosted and sponsored by Secunia.