php[architect] logo

Want to check out an issue? Sign up to receive a special offer.

Possible vulnerabilities found in PHP session IDs

Posted by on April 9, 2010 has posted an advisory titled “Weak RNG in PHP session ID generation leads to session hijacking.” RNG stands for Random Number Generation, and the advisory is warning that not enough entropy is being used to seed the RNG; this, in turn, can lead to a reduced number of possible session IDs under certain specific conditions, thus making brute force session spoofing easier, if not bringing it into the realm of feasibility.

The advisory is given a medium severity level, considering the specific conditions that need to be met on a site in order for it to be vulnerable to the attack:

  • It uses the standard PHP session mechanism
  • It provides access to the output of the uniqid() function, with the ‘more_entropy’ php.ini configuration set to ‘true’.
  • It uses some mechanism to persist the PHP interpreter, such as FCGI.
  • It discloses login status and remote address of users

The author recommends the following procedures to help protect your sites:

  • Make sure to use real entropy in your session IDs. Usage of the Suhosin patch version 0.9.31 or later will do that for you automatically.
  • Never use the value of uniqid() directly—always hash the result. This is orthogonal to the recommendation above, especially if you depend on the uniqid() values to be unguessable.

The author also has some suggestions for the PHP dev team, so I talked with core developer Ilia Alshanetsky on his thoughts on this vulnerability. He responds:

While I do not wish to trivialize the issue, I feel that a mountain is being made out of the molehill here. While the weakness exists, people or distributions can very easily resolve it by setting the ini.session.entropy-file INI setting as documented in the PHP manual. Even on vulnerable systems, guessing the session id would still be fairly difficult and for any degree of reliability require local access to the system.

The section in the manual that Ilia is referring to concerns a php.ini setting that allows you to specify a path to an external resource or file that can provide additional entropy to be used when creating session IDs. This can be set at runtime or in the INI file. A sample INI file using the recommended settings can be found in the SVN repository.

Elizabeth Tucker Long is the Editor-In-Chief of php[architect] magazine as well as a trainer and occasional guest blogger for php[architect]. She also runs Treeline Design -, a web development company, and Playlist Event Music -, a DJ company, along with her husband, Chris, and son, Liam.
Tags: , , , ,

Responses and Pingbacks

[…] Tucker Long has posted a new warning about a possible issue with session IDs in PHP dealing with weak random numbers being generated by the language when making the IDs. […]

Leave a comment

Use the form below to leave a comment: