GHSA-96c6-m98x-hxjx: 
PHP vulnerability analysis and mitigation

A session validation vulnerability was discovered in Zend Framework's Session component (zendframework/zend-session). The vulnerability affects versions 2.0.0 through 2.2.8 and 2.3.0 through 2.3.3, and was disclosed on January 14, 2015. The issue occurs when session validators are set prior to starting a session, causing the validators to not work as expected (Zend Advisory).

The vulnerability stems from session validators not functioning properly when set before session initialization. When validators like RemoteAddr or HttpUserAgent are set prior to session start, the validator metadata is not properly stored in the session. This causes subsequent calls to Zend\Session\SessionManager#start() to rebuild validator metadata from scratch, incorrectly marking the session as valid. The technical impact is that validator signatures are not being stored in the session, effectively nullifying the security checks (Zend Advisory).

The vulnerability allows attackers to bypass session validators such as RemoteAddr or HttpUserAgent since the signature that these validators check against is not being stored in the session. This means that security checks meant to validate the session based on IP address or user agent can be circumvented (Zend Advisory).

The issue has been fixed by storing the signature of validators in the session immediately following the call to session_start(), preventing any data loss from session validators. Users are recommended to upgrade to Zend Framework versions 2.2.9 or 2.3.4 or later. For those using session validators, immediate upgrade is strongly recommended (Zend Advisory).

The Zend Framework team acknowledged Yuriy Dyachenko for reporting the issue and Marco Pivetta for providing the patch that resolved the vulnerability (Zend Advisory).