95 lines
2.6 KiB
Plaintext
95 lines
2.6 KiB
Plaintext
PHP session tokens are normally transmitted through HTTP cookies. However, for
|
|
clients that do not support cookies and when the PHP `session.use_trans_sid`
|
|
setting is enabled, those tokens can be transmitted as URL parameters.
|
|
|
|
== Why is this an issue?
|
|
|
|
GET URL parameter can be disclosed in a variety of ways:
|
|
|
|
* Directly in a web browser address bar.
|
|
* In navigation history.
|
|
* In web servers or intermediate proxies log files.
|
|
|
|
|
|
=== What is the potential impact?
|
|
|
|
Attackers with access to any of those disclosure locations will be able to see
|
|
and steal a victim's session token. They can then use it to log in as the user,
|
|
impersonate their account, and take advantage of their privileges.
|
|
|
|
Such an attack can be more or less severe depending on the victim's privileges.
|
|
Common security impacts range from data theft to application takeover.
|
|
|
|
==== Data theft
|
|
|
|
Attackers with access to a compromised account will be able to disclose any
|
|
information stored on it. This includes the Personally Identifiable Information
|
|
(PII) of the user.
|
|
|
|
The confidentiality of PII is a requirement from national security regulatory
|
|
authorities in most countries. Insufficiently protecting this data could have
|
|
legal consequences and lead to fines or other prosecutions.
|
|
|
|
==== Application takeover
|
|
|
|
Attackers compromise the account of a high-privileged user could modify internal
|
|
web application logic, disrupt workflows, or change other application's settings
|
|
in a way that will give them full control over it.
|
|
|
|
Such an attack would lead to reputational damages and financial and legal
|
|
consequences.
|
|
|
|
== How to fix it
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,ini,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
; php.ini
|
|
session.use_trans_sid=1 ; Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,ini,diff-id=1,diff-type=compliant]
|
|
----
|
|
; php.ini
|
|
session.use_trans_sid=0
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
The compliant code example disables the `session.use_trans_sid` setting.
|
|
|
|
Note that this parameter is off by default.
|
|
|
|
== Resources
|
|
|
|
=== Standards
|
|
|
|
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Set "session.use_trans_sid" to 0 or remove this configuration.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 1 Sep 2015, 06:47:24 Linda Martin wrote:
|
|
LGTM!
|
|
|
|
endif::env-github,rspecator-view[]
|