The following flaw was found in PHP:
If the session name is not allowed, then session php handler will ignore and skip the name, and continue to parsing. This means that if an attacker can control the session name, then he will be able to inject arbitrarily session data. The similar issue also exist in session php_binary handler.
Upstream bug:
https://bugs.php.net/bug.php?id=72681
Upstream patch:
https://github.com/php/php-src/commit/8763c6090d627d8bb0ee1d030c30e58f406be9ce?w=1
Comment 1Huzaifa S. Sidhpurwala
2016-10-20 06:08:03 UTC
Analysis:
In order to exploit this, you need a MITM attacker to know the session name. Then the attacker will be able to hijack the session and control the data passing between the server and the client. The PHP script however needs to run special code in order for the attacker to pull this off.
This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 6
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
Red Hat Software Collections for Red Hat Enterprise Linux 7
Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html