Vulnerability on the size of session identifiers.
There is a vulnerability in the size of the session id generated by the module: Apache::Session::Generate::MD5
#From: http://search.cpan.org/~chorny/Apache-Session-1.92/lib/Apache/Session/Generate/MD5.pm
#...
sub generate {
my $session = shift;
my $length = 32;
if (exists $session->{args}->{IDLength}) {
$length = $session->{args}->{IDLength};
}
$session->{data}->{_session_id} =
substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$)), 0, $length);
}
#...
{code}
This function is used to manage the session id.
An example of use in lemonldap-ng-handler/lib/Lemonldap/NG/Handler/SecureTocken.pm
{code:none}
#...
## @method private string _setToken(string value)
# Set token value
# @param value Value
# @return Token key
sub _setToken {
my ( $class, $value ) = splice @_;
my $key = Apache::Session::Generate::MD5::generate();#<--- HERE
my $res =
$secureTokenMemcachedConnection->set( $key, $value,
$secureTokenExpiration );
unless ($res) {
$class->lmLog( "Unable to store secure token $key", 'error' );
return;
}
$class->lmLog( "Set $value in token $key", 'info' );
return $key;
}
#...
A brute force attack can be performed and thus find a valid session. To avoid this, replace MD5 by SHA1 or SHA256 at best.
Ref: ( Php example, see session.hash_function )