Vigil@nce - PHP: session cookie fixation
September 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use any session cookie, which is reused by PHP,
even if it was not initialized.
– Impacted products: PHP
– Severity: 2/4
– Creation date: 19/08/2013
DESCRIPTION OF THE VULNERABILITY
The PHP language can create a session, which is identified by a
cookie. This cookie is sent to the client, which returns it during
its next query.
However, if PHP receives a cookie which was not initialized, it
accepts it nevertheless. Implementing this check is developers’
job.
This conception choice is dangerous, and can lead to various
attacks, depending on the way the session cookie is used.
An attacker can therefore use any session cookie, which is reused
by PHP, even if it was not initialized.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PHP-session-cookie-fixation-13286