Possible vulnerabilities found in PHP session IDs
Seclists.org has posted an advisory titled “Weak RNG in PHP session ID generation leads to session hijacking.” RNG stands for Random Number Generation, and the advisory is warning that not enough entropy is being used to seed the RNG; this, in turn, can lead to a reduced number of possible session IDs under certain specific conditions, thus making brute force session spoofing easier, if not bringing it into the realm of feasibility.
The advisory is given a medium severity level, considering the specific conditions that need to be met on a site in order for it to be vulnerable to the attack:
- It uses the standard PHP session mechanism
- It provides access to the output of the uniqid() function, with the ‘more_entropy’ php.ini configuration set to ‘true’.
- It uses some mechanism to persist the PHP interpreter, such as FCGI.
- It discloses login status and remote address of users
The author recommends the following procedures to help protect your sites:
- Make sure to use real entropy in your session IDs. Usage of the Suhosin patch version 0.9.31 or later will do that for you automatically.
- Never use the value of uniqid() directly—always hash the result. This is orthogonal to the recommendation above, especially if you depend on the uniqid() values to be unguessable.
The author also has some suggestions for the PHP dev team, so I talked with core developer Ilia Alshanetsky on his thoughts on this vulnerability. He responds:
While I do not wish to trivialize the issue, I feel that a mountain is being made out of the molehill here. While the weakness exists, people or distributions can very easily resolve it by setting the ini.session.entropy-file INI setting as documented in the PHP manual. Even on vulnerable systems, guessing the session id would still be fairly difficult and for any degree of reliability require local access to the system.
The section in the manual that Ilia is referring to concerns a php.ini setting that allows you to specify a path to an external resource or file that can provide additional entropy to be used when creating session IDs. This can be set at runtime or in the INI file. A sample INI file using the recommended settings can be found in the php.net SVN repository.