Session poisoning
Encyclopedia
Session poisoning is a method to exploit insufficient input validation within a server application. Typically a server application that is vulnerable to this type of exploit will copy user input into session
variables.
The underlying vulnerability is a state management problem: shared state, race condition, ambiguity in use or plain unprotected modifications of state values.
Session poisoning has been demonstrated in server environments where different, non-malicious applications (scripts) share the same session states but where usage differ, causing ambiguity and race conditions.
Session poisoning has been demonstrated in scenarios where attacker is able to introduce malicious scripts into the server environment, which is possible if attacker and victim share a web host.
. Alla Bezroutchko inquired if "Session data pollution vulnerabilities in web applications" was a new problem in January 2006. However, this was an old vulnerability previously noted by others: "this is a classic state management issue" - Yvan Boily; "This is not new" - /someone.
Earlier examples of these vulnerabilities can be found in major security resources/archives such as Bugtraq
, e.g.
Session pollution has also been covered in some articles, such as PHP Session Security, Przemek Sobstel, 2007 (accessed September 22, 2007).
Which is subject to trivial attacks such as
This problem could exist in software where
The problem is that
A race condition was demonstrated, in which the reset scripts could be exploited to change the logged on user arbitrarily.
The first example is
(in which $_GET["something"] is probably from a selection box or similar).
Attack becomes
server administrators are recommended to disable this feature.
Note: Real-world examples of session poisoning in enabled by register_globals = on was publicly demonstrated in back in July 2001 article Serious security hole in Mambo Site Server version 3.0.X.
Second example by /someone is
which is vulnerable if:
Attack becomes
Attack is fairly easy:
This attack only requires that victim and attacker share the same PHP server. The attack is not dependent on victim and attacker having the same virtual hostname, as it is trivial for attacker to move the session identifier cookie from one cookie domain to another.
Session (computer science)
In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user . A session is set up or established at a certain point...
variables.
The underlying vulnerability is a state management problem: shared state, race condition, ambiguity in use or plain unprotected modifications of state values.
Session poisoning has been demonstrated in server environments where different, non-malicious applications (scripts) share the same session states but where usage differ, causing ambiguity and race conditions.
Session poisoning has been demonstrated in scenarios where attacker is able to introduce malicious scripts into the server environment, which is possible if attacker and victim share a web host.
Origins
Session poisoning was first discussed as a (potentially new) vulnerability class in Full disclosure mailinglistFull disclosure
In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
. Alla Bezroutchko inquired if "Session data pollution vulnerabilities in web applications" was a new problem in January 2006. However, this was an old vulnerability previously noted by others: "this is a classic state management issue" - Yvan Boily; "This is not new" - /someone.
Earlier examples of these vulnerabilities can be found in major security resources/archives such as Bugtraq
Bugtraq
Bugtraq is an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them...
, e.g.
- July 2001 Serious security hole in Mambo Site Server version 3.0.X by Ismael Peinado Palomo of reverseonline.com
- September 2005 PHP Session modification by unknow (from uw-team) and adam_i
Session pollution has also been covered in some articles, such as PHP Session Security, Przemek Sobstel, 2007 (accessed September 22, 2007).
Trivial attack scenario
A example code vulnerable to this problem is:
Session("Login") = Request("login")
Session("Username") = Request("username")
Which is subject to trivial attacks such as
vulnerable.asp?login=YES&username=Mary
This problem could exist in software where
- User submits username / password to
logon.asp - If password for
Marychecks outs,logon.aspforwards tovulnerable.asp?login=YES&username=Mary
The problem is that
vulnerable.asp is designed on the assumption that the page is only accessed in a non-malicious way. Anyone who realizes how the script is designed, is able to craft an HTTP request which sets the logon user arbitrarily.Exploiting ambiguous or dual use of same session variable
Alla Bezroutchko discusses a scenario where$_SESSION['login'] is used for two different purposes.
- In the login scripts, the session variable stores "This user is logged on".
- In the password reset scripts, the session variable stores "this user wants his password reset".
A race condition was demonstrated, in which the reset scripts could be exploited to change the logged on user arbitrarily.
Exploiting scripts allowing writes to arbitrary session variables
/someone discusses examples observed in development forums, which allows writing to arbitrary session variables.The first example is
$var = $_GET["something"];
$_SESSION["$var"] = $var2;
(in which $_GET["something"] is probably from a selection box or similar).
Attack becomes
vulnerable.php?something=SESSION_VAR_TO_POISON
Session poisoning attacks enabled by php.ini: register_globals = on
php.ini: register_globals = on is known to enable security vulnerabilities in several applications. PHPPHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
server administrators are recommended to disable this feature.
Note: Real-world examples of session poisoning in enabled by register_globals = on was publicly demonstrated in back in July 2001 article Serious security hole in Mambo Site Server version 3.0.X.
Second example by /someone is
if ($condition1) {
$var = 'SOMETHING';
};
if ($condition2) {
$var = 'OTHER';
};
$_SESSION["$var"] = $var2;
which is vulnerable if:
- It is possible for attacker to cause both conditions to be false.
- php.ini is misconfigured (register_globals = on), which allows $var default value to be controlled by GPC (GET, POST, or COOKIE) input.
Attack becomes
vulnerable.php?var=SESSION_VAR_TO_POISON
Exploit utilizing a shared PHP server (e.g. shared web hosting)
unknow of uw-team.org discusses a scenario where attacker and victim shares the same PHP server.Attack is fairly easy:
- The attacker first visits the victim's page, and e.g. log on.
- Attacker then uploads a PHP script to his account, and has it display context of $_SESSION (set by victim script).
- Attacker determines which variable needs to be changed, uploads a script which sets this variable, executes it.
- Attacker visits victim pages to see if anticipated exploit worked.
This attack only requires that victim and attacker share the same PHP server. The attack is not dependent on victim and attacker having the same virtual hostname, as it is trivial for attacker to move the session identifier cookie from one cookie domain to another.