Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Input Validation Error in Session ID Values Permits HTTP Response Splitting Attacks
SecurityTracker Alert ID:  1015484
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 12 2006
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0 - 5.1.1
Description:   A vulnerability was reported in Php. A remote user can conduct HTTP response splitting attacks.

The software does not properly validate user-supplied session ID values before setting them via a Set-Cookie HTTP header. A remote user can submit a specially crafted session ID to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

Applications that use PHP5's session extension are affected.

PHP 4 is not affected.

Stefan Esser of the Hardened-PHP Project reported this vulnerability.

The original advisory is available at:

Impact:   A remote user can create a specially crafted session ID that, when submitted by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.

Solution:   The vendor has issued a fixed version (5.1.2), available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Advisory 01/2006: PHP ext/session HTTP Response

Hash: SHA1

                        Hardened-PHP Project

                      -= Security  Advisory =-

     Advisory: PHP ext/session HTTP Response Splitting Vulnerability
 Release Date: 2006/01/12
Last Modified: 2006/01/12
       Author: Stefan Esser []

  Application: PHP5 <= 5.1.1
 Not Affected: PHP4
               PHP5 with Hardening-Patch
     Severity: PHP applications using PHP5's session extension are
               vulnerable to HTTP Response Splitting attacks
         Risk: Critical
Vendor Status: Vendor has released a bugfixed version


   PHP is a widely-used general-purpose scripting language that is
   especially suited for Web development and can be embedded into HTML.

   During the development of the Hardening-Patch which adds security 
   hardening features to the PHP codebase, several vulnerabilities 
   within PHP were discovered. This advisory describes one of these 
   flaws concerning a weakness in the session extension.
   Since PHP5 a user supplied session ID is sent back to the user within
   a Set-Cookie HTTP header. Because there were no checks performed on
   the validity of this session id, it was possible to inject arbitrary
   HTTP headers into the response body of applications using PHP's 
   builtin session functionality by supplying a special crafted session 
   This can be used to perform HTTP Response Splitting and Cross Site
   Scripting (XSS) attacks on all applications using the session 


   PHP's own session functionality is using a so-called permissive 
   system to accept any kind of user supplied session ID. While this is 
   often criticized as the cause of easier session fixation attacks 
   against PHP applications, it also means that the session ID has to be 
   considered as user input in PHP applications.
   Therefore it is up to the PHP application to decide if it accepts 
   the supplied session ID or rejects it because of f.e. not accepted 
   Until PHP5 the built-in session extension assumes that a user 
   supplied session ID is already known on the client side and therefore 
   it is not sent back to the client within a cookie. This behaviour
   has changed in PHP5 and because there was no additional checks
   added, this enables an attacker to inject anything he wants into the
   Set-Cookie HTTP header. This obviously leads to HTTP Response 
   Splitting vulnerabilities in all applications using PHP's built-in
   session handling. 
   By simply terminating the HTTP headers from within the Set-Cookie
   HTTP header it is of course possible to inject part of the request
   body and perform all kinds of Cross Site Scripting (XSS) attacks.
   Because PHP's default session storage module, files, will issue a PHP
   warning that a session ID with illegal characters was used, this is
   not exploitable in some situations where output buffering is switched
   off (on server and in the application), the files module is used and 
   PHP is configured to display warnings.
   This means the recommended settings for PHP webservers are vulnerable
   and because at least one of the conditions above are not met on nearly
   all production servers, most PHP servers are vulnerable to this.
   PHP servers using our Hardening-Patch are not vulnerable to this 
   because they ship with a HTTP Response Splitting protection enabled 
   by default and also use a strict session ID mode, which disallows all 
   session IDs not created by PHP itself.

Proof of Concept:

   The Hardened-PHP project is not going to release exploits for this
   vulnerability to the public.


   It is strongly recommended to upgrade to the latest appropriate PHP 
   release as soon as possible. On the one hand there are also other 
   fixes in it and on the other hand it finally comes with a HTTP 
   Response Splitting protection. 
   Additionally we always recommend to run PHP with the Hardening-Patch
   applied, because this vulnerability once again proved that our users
   are protected against unknown vulnerabilities before they become
   public knowledge.


   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC