Apache::Session Revives Deleted Sessions Vulnerability

A vulnerability exists in Apache::Session versions through 1.94 for Perl, where deleted sessions can be unintentionally restored. This issue arises in the session stores Apache::Session::Store::File and Apache::Session::Store::DB_File, which automatically recreate sessions that have been deleted. As a result, sessions thought to be permanently removed can be revived, potentially with sensitive data that was intended to be discarded.

Impact

The vulnerability allows for the unintended restoration of deleted sessions, which could lead to the retrieval of data that was meant to be permanently deleted.

Reproduction

After a session is deleted, any subsequent updates to that session mark it as modified. During the session's destruction process, these modifications are saved using the backing store's update method. For database-backed stores, the update will fail silently if the session ID no longer exists. However, the File and DB_File stores will automatically recreate the session if it doesn't exist before saving the update. This behavior causes deleted sessions to be restored, along with any data that was supposed to be removed.

Remediation

No official patch is available, but the issue can be worked around by avoiding the use of the Apache::Session::Store::File or Apache::Session::Store::DB_File stores.