Re: FW: PHP 4.x session spoofing

From: Gunzour (gunzour@yahoo.com)
Date: 01/15/02


Date: Tue, 15 Jan 2002 05:17:12 -0800 (PST)
From: Gunzour <gunzour@yahoo.com>
To: daniel@lorch.cc, bugtraq@securityfocus.com


I reported this to bugs.php.net over a year ago (bug
#8189) and more recently I wrote an article for a PHP
website about the use of PHP sessions for
authentication, although that article has not yet been
published.

> Since PHP4 there is a native support for sessions,
> which was derived
> from the PHPLib. But instead of using a SQL backend
> to store these
> IDs, they chose to store them as files in /tmp.

You can configure PHP to store sessions in an SQL
database with session_set_save_handler. That will add
to the complexity of your configuration, but will
probably not make it any more secure. (How secure is
your SQL backend?)

> I suggest to create a directory called
>
> mkdir /tmp/php_sessions/

You're still in the /tmp directory, so there's still a
potential for misuse. I could do "mv php_sessions
php_sessions_old; mkdir php_sessions; echo 'juicy
session data here' >
php_sessions/sess_g35g5g54gg45wg85" and create my own
sessions, assuming I know what data needs to be in the
session file.

This may protect you from casual shell users, but what
about malicious PHP scripts, or other sites in a
virtual hosting environment?

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/



Relevant Pages

  • Re: register_globals - turning on
    ... >>default because of the history of PHP. ... >Sessions contain persistent data, ... >>paths are a tad confusing as well. ... >In the case of session data, the web server needs to be able ...
    (comp.lang.php)
  • Session Variables Disappear and Reappear
    ... New to PHP and I've checked previous posts and haven't seen similar problem. ... I can also destroy sessions. ... message will disappear showing the "Please Login Form". ...
    (php.general)
  • Re: register_globals - turning on
    ... >>an Apache module. ... >So basically using the .htaccess is a safe way of enabling sessions to ... >>Stick this file on the beginning of every PHP page processed. ... >>In the case of session data, the web server needs to be able ...
    (comp.lang.php)
  • RE: [PHP] Clearing POST variable on page refresh
    ... [PHP] Clearing POST variable on page refresh ... Since you don't want to use sessions, ... Less than a week on an ultra busy server. ... This is most likely not a php thing, but would there be a way to refresh the ...
    (php.general)
  • RE: [PHP] PHP not remembering sessions
    ... while this doesn't mean that save handler routines are not used, ... [PHP] PHP not remembering sessions ...
    (php.general)