Earth to PHP Security Consortium, earth to...

Wednesday, August 10. 2005

Some weeks ago I have publicly disclosed 2 serious flaws in the PHP Security Guide of the PHP Security Consortium. The PHP community surely remembers the harsh response from the PHPSC leader in response to my publication. Until today he still claims, that the flaws only exist in my imagination (which is very strange because he has fixed them without proper credits) and that I haven't contacted 5 people among the consortium prior to my public disclosure.

Having learned from that experience I sent another flaw in their documentation directly to their official contact address, which is mentioned on their website. This time the flaw is located in their article about howto use Text_CAPTCHA.

This was 2 weeks ago and until today I haven't heard a single line of response. In the meanwhile I have emailed with another security professional from openwall.com and learned that his email with comments about their password hashing article was also ignored.

If you have already read my previous publication, you will realise, that the new flaw is very similiar to the one I previously disclosed in their chapter about CSRF. This suggests that I need to explain the behaviour of the $_SESSION superglobal more clearly, because it is obviously misunderstood by the author of the following example (which was copied directly from his article).

<?php

session_start();

if (isset($_POST['captcha_phrase']) &&
    $_POST['captcha_phrase'] == $_SESSION['captcha_phrase'])
{
    /* Human */
}
else
{
    /* Computer */
}

?>

In this example session_start() is called. This will result in a new session being created if there is no or an unknown session identifier provided. This means the content of the global variable $_SESSION will be deleted and replaced with a new empty $_SESSION superglobal (only on the first call to session_start()). This means that $_SESSION['captcha_phrase'] is uninitialised when it is compared to the POST variable captcha_phrase. This also means that the check in place will evaluate as true if the supplied captcha_phrase is just an empty string.

This actually means a robot can simply provide an unknown session identifier (or none at all) and supply an empty string as answer to the CAPTCHA and will be identified as human. This is a 100% failure of the intended purpose of a CAPTCHA.

Now one could argue that this is only a snippet and not a full example, but this is only a lame excuse, because a) there is a session_start() which would not be needed in a snippet and b) similiar code like this was already found in the wild. How should a PHP newbie know, that the examples from the PHP Security Consortium cannot be trusted and need to be fixed before they can be used.

Posted by Stefan Esser in Security, PHP at 14:18

Comments (6)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Marcus Whitney ()

You're right. The session_start should be removed from the article because I wanted to really focus on how to use the package, not how to write secure session code. I've been made aware of this error and will make the proper changes to the article. Thanks for pointing it out!

- M

posted on Thursday, August 11. 2005

#2 John Wilkins wrote (Link) ()

Good catch on the bug in the session handling, Stefan.

Actually, Marcus's main offense is that he didn't check for the existence of the session variable before he used its value.

I usually like to fix the bugs (if I can) while pointing them out.

Changing the IF statement to the following will fix the bug:
if (isset($_POST['captcha_phrase']) &&
isset($_SESSION['captcha_phrase']) &&
$_POST['captcha_phrase'] == $_SESSION['captcha_phrase'])

Someone should also write an article about the insecurity of the PHP's default session handling. (Session fixation, session stealing, shared hosting /tmp files, etc.)

- John

posted on Thursday, August 11. 2005

#3 Stefan Esser wrote (Link) ()

Yeah well the only annoying part is that I had to announce this public because I got no answer from contact@phpsec.org in 2 weeks. However it is cool how Marcus sees it the same way

And it is also annoying that THIS particular bug is actually in some CAPTCHA implementations in the wild.

posted on Friday, August 12. 2005

#4 NetNerd85 ()

I just read the PDF Security Guide. Now I read this.

Well I can say I will be visiting this site more often and the PHP Security Consortium less.

Its called respect, something most PHP programmers need to learn.

posted on Friday, August 19. 2005

#5 Spidersilk ()

I'm a little confused. Don't you have to call session_start() in order to preserve an existing session?How would this result in the session being reinitialized? I thought if you didn't have session_start() at the beginning of the document, then the session would be lost?

posted on Saturday, August 20. 2005

#6 Stefan ()

Spidersilk the text above just says, that the _SESSION is only filled with session variables (and cannot be user injected) after you called session_start(). The session management system starts with the first call to session_start():

And the problem with the code above is, that after _SESSION start and before the CAPTCHA check it is not ensured, that this session was already started. If a client supplies a session ID for a non existing session or none at all, session_start() will create a new one, an empty one.

The only thing that is reinitialized is, that when there is a _SESSION variable BEFORE session_start() is called the first time (f.e. injected through register_globals), that it will be deleted and replaced with a fresh and empty one.

There is actually code out there, that checks if session_autostart is set to true in the php.ini by only checking for _SESSION. This is obviously wrong.

posted on Saturday, August 20. 2005

Add Comment

Name:

Email:

Homepage:

In reply to:

Comment:

Standard emoticons like :-) and ;-) are converted to images.

Remember Information?
Subscribe to this entry

Calendar