GHSA-62F6-H68R-3JPW

Vulnerability from github – Published: 2024-06-07 20:20 – Updated: 2024-06-07 20:20
VLAI
Summary
Zendframework session validation vulnerability
Details

Zend\Session session validators do not work as expected if set prior to the start of a session.

For instance, the following test case fails (where $this->manager is an instance of Zend\Session\SessionManager):

$this
    ->manager
    ->getValidatorChain()
    ->attach('session.validate', array(new RemoteAddr(), 'isValid'));

$this->manager->start();

$this->assertSame(
    array(
        'Zend\Session\Validator\RemoteAddr' =3D> '',
    ),
    $_SESSION['__ZF']['_VALID']
);

The implication is that subsequent calls to Zend\Session\SessionManager#start() (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.

An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the "signature" that these validators check against is not being stored in the session.

Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T20:20:21Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "`Zend\\Session` session validators do not work as expected if set prior to the start of a session.\n\nFor instance, the following test case fails (where `$this-\u003emanager` is an instance of `Zend\\Session\\SessionManager`):\n```\n$this\n    -\u003emanager\n    -\u003egetValidatorChain()\n    -\u003eattach(\u0027session.validate\u0027, array(new RemoteAddr(), \u0027isValid\u0027));\n\n$this-\u003emanager-\u003estart();\n\n$this-\u003eassertSame(\n    array(\n        \u0027Zend\\Session\\Validator\\RemoteAddr\u0027 =3D\u003e \u0027\u0027,\n    ),\n    $_SESSION[\u0027__ZF\u0027][\u0027_VALID\u0027]\n);\n```\nThe implication is that subsequent calls to `Zend\\Session\\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.\n\nAn attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the \"signature\" that these validators check against is not being stored in the session.",
  "id": "GHSA-62f6-h68r-3jpw",
  "modified": "2024-06-07T20:20:21Z",
  "published": "2024-06-07T20:20:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/1672aee3531205e5c1a0b96d8c680124ec93db09"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/282135561cbf98cc93274c57966b021fd6e051b9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/5f06a1f80a1aaeac87a46bfa9b63a5a74a14866c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/9493d725ef869e6ce7ab78167539223396fda491"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/ddbf43ac3fe28fe98a4104993d0cb4bffb13a026"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/f22a83c611732fbc0328f0f887bccc075be1fd56"
    },
    {
      "type": "WEB",
      "url": "https://framework.zend.com/security/advisory/ZF2015-01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2015-01.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zendframework/zendframework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zendframework session validation vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.