GHSA-62f6-h68r-3jpw: Zendframework session validation vulnerability
Zend\Session session validators do not work as expected if set prior to the start of a session.
For instance, the following test case fails (where $this->manager is an instance of Zend\Session\SessionManager):
$this
->manager
->getValidatorChain()
->attach('session.validate', array(new RemoteAddr(), 'isValid'));
$this->manager->start();
$this->assertSame(
array(
'Zend\Session\Validator\RemoteAddr' =3D> '',
),
$_SESSION['__ZF']['_VALID']
);
The implication is that subsequent calls to Zend\Session\SessionManager#start() (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.
An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the “signature” that these validators check against is not being stored in the session.
References
- framework.zend.com/security/advisory/ZF2015-01
- github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2015-01.yaml
- github.com/advisories/GHSA-62f6-h68r-3jpw
- github.com/zendframework/zendframework
- github.com/zendframework/zendframework/commit/1672aee3531205e5c1a0b96d8c680124ec93db09
- github.com/zendframework/zendframework/commit/282135561cbf98cc93274c57966b021fd6e051b9
- github.com/zendframework/zendframework/commit/5f06a1f80a1aaeac87a46bfa9b63a5a74a14866c
- github.com/zendframework/zendframework/commit/9493d725ef869e6ce7ab78167539223396fda491
- github.com/zendframework/zendframework/commit/ddbf43ac3fe28fe98a4104993d0cb4bffb13a026
- github.com/zendframework/zendframework/commit/f22a83c611732fbc0328f0f887bccc075be1fd56
Code Behaviors & Features
Detect and mitigate GHSA-62f6-h68r-3jpw with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →