Apache::Session::Generate::ModUniqueId Insecure Session ID Generation Vulnerability

A vulnerability exists in Apache::Session::Generate::ModUniqueId versions 1.54 through 1.94, where session IDs are generated using the UNIQUE_ID environment variable from the Apache mod_unique_id plugin. This ID is based on the public IPv4 address, process ID, epoch time, a 16-bit counter, and a thread index, without any obfuscation. The lack of randomness and the predictability of the components used to create the session ID make it insecure, as the server IP can be public or inferred from previous session IDs, and the process IDs and timestamps are easily guessable.

Impact

This vulnerability leads to the generation of predictable session IDs, which can be exploited to hijack user sessions or access restricted data.

Remediation

Users can switch to Apache::Session::Generate::Random, which creates secure session IDs using system randomness. Instructions for downloading this module are available on MetaCPAN.