Re: FW: PHP 4.x session spoofing
From: Gunzour (gunzour@yahoo.com)Date: 01/15/02
- Previous message: Ivan Sergio Borgonovo: "IE FORM DOS"
- Maybe in reply to: Daniel Lorch: "PHP 4.x session spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Jan 2002 05:17:12 -0800 (PST) From: Gunzour <gunzour@yahoo.com> To: daniel@lorch.cc, bugtraq@securityfocus.com
I reported this to bugs.php.net over a year ago (bug
#8189) and more recently I wrote an article for a PHP
website about the use of PHP sessions for
authentication, although that article has not yet been
published.
> Since PHP4 there is a native support for sessions,
> which was derived
> from the PHPLib. But instead of using a SQL backend
> to store these
> IDs, they chose to store them as files in /tmp.
You can configure PHP to store sessions in an SQL
database with session_set_save_handler. That will add
to the complexity of your configuration, but will
probably not make it any more secure. (How secure is
your SQL backend?)
> I suggest to create a directory called
>
> mkdir /tmp/php_sessions/
You're still in the /tmp directory, so there's still a
potential for misuse. I could do "mv php_sessions
php_sessions_old; mkdir php_sessions; echo 'juicy
session data here' >
php_sessions/sess_g35g5g54gg45wg85" and create my own
sessions, assuming I know what data needs to be in the
session file.
This may protect you from casual shell users, but what
about malicious PHP scripts, or other sites in a
virtual hosting environment?
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
- Previous message: Ivan Sergio Borgonovo: "IE FORM DOS"
- Maybe in reply to: Daniel Lorch: "PHP 4.x session spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
