Detectify
Knowledge Base

Back to Knowledge Base

Support Center

PHP NULL Session

Last Updated: Aug 05, 2016 12:22PM CEST

The PHP null session is a vulnerability that enables the attacker to disclose the path of the executing scripts on the local file system.

What can happen?

Sometimes the path will expose which CMS it's running, which web server the site is using or other sensitive information.

If the web application is hosted under a local user account (such as /home/peter/htdocs/), a local username on the machine is also disclosed, which may open up for exploitation of services other than HTTP (for example SSH).

Example of PHP NULL session

Suppose you have a cookie for session handling: PHPSESSID. If you change its value to an empty string and if the targeted server doesn’t have any checks on its value, then it may result in errors disclosing paths like this:

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
Thus, giving attacker a clearer vision of website structure for a further exploitation.

Remediation

Always check if user supplied session is a valid one according to the session.hash_bits_per_character in your configuration. Disable printing of errors in the HTML output by configuring your php.ini. Set the display_errors value to Off.

Resources

‚ÄčRelated articles

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete