Re: FW: PHP 4.x session spoofing

From: Gunzour (gunzour@yahoo.com)
Date: 01/15/02


Date: Tue, 15 Jan 2002 05:17:12 -0800 (PST)
From: Gunzour <gunzour@yahoo.com>
To: daniel@lorch.cc, bugtraq@securityfocus.com


I reported this to bugs.php.net over a year ago (bug
#8189) and more recently I wrote an article for a PHP
website about the use of PHP sessions for
authentication, although that article has not yet been
published.

> Since PHP4 there is a native support for sessions,
> which was derived
> from the PHPLib. But instead of using a SQL backend
> to store these
> IDs, they chose to store them as files in /tmp.

You can configure PHP to store sessions in an SQL
database with session_set_save_handler. That will add
to the complexity of your configuration, but will
probably not make it any more secure. (How secure is
your SQL backend?)

> I suggest to create a directory called
>
> mkdir /tmp/php_sessions/

You're still in the /tmp directory, so there's still a
potential for misuse. I could do "mv php_sessions
php_sessions_old; mkdir php_sessions; echo 'juicy
session data here' >
php_sessions/sess_g35g5g54gg45wg85" and create my own
sessions, assuming I know what data needs to be in the
session file.

This may protect you from casual shell users, but what
about malicious PHP scripts, or other sites in a
virtual hosting environment?

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/