|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 71
Members: 0
Total: 71
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
about PHP Security Consortium (phpsec.org) and sessions |
|
Posted: Fri May 13, 2005 12:50 pm |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
sessions part: http://phpsec.org/projects/guide/4.html
i think their advice about sessions is not talked fully and may lead to
pitfalls (many people dont bother to think self). sessions are a difficult subject since there are many attack vectors. session ids must be real unique (random).. since with "online users" lists it may be possible to get a ammount of time which sessions ids might have been generated (refer to phpbb 2.0.15 changelog, for a bug same as this - which by fate was discovered by me) and secondly, in my opinion securing the session tokens from getting stolen should be priority.
thirdly a pitfall that i almost fell reading phpsec.org was that users should not
be able to create sessions for themselves. i mean - if there isnt a valid session - create it within script, dont create sessions with user submitted token. i made the test with their script locally. when i
made the custom sessions handler with mysql like theirs (http://phpsec.org/projects/guide/5.html).
i couldnt help noticing that when i go to page.php?PHPSESSID=customsession then i get a entry like that in DB.
but now when i say to admin that: "hey login and check PM i send ya" at
www.example.com?PHPSESSID=mysess , when admin has logged in then all i have to do is visit page using same session id myself.
[edit]
and setting a cookie to other domains are allowed for firefox, so this action
could be done much less obious
[/edit]
just read, think and practice everything before you put something to use.
|
|
_________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
Posted: Fri May 13, 2005 3:57 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
very interesting |
|
|
|
|
|
|
|
|
Posted: Fri May 13, 2005 10:06 pm |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
yes, i was missing a thing there that this "cross site session hijacking"
is only possible when upon authendication a new session id is *not* generated.
heres the case:
victim visits a malicious site, which sets a cookie to him. cookie contains a session id that has been generated before by attacker. (attacker can generate a valid session id by visiting the site self for example).
when the user has the cookie then by visiting the original site he hijacks
attackers session without self knowing it. when victim is in attacers session
then he logins - and when login doesnt generate a new session id then attacker can use the same session id. now when phpbb developers would have listened phpsec.org and used only User-Agent as "fixer" then they would have been vulnearable to this (only with difference that attacker has to know what browser and maybe computer admin is using).
[edit]
i sent a mail to phpsec.org about it
[/edit]
more new info:
the phpsec.org-s authors book covers this topic perfectly, but why is it left out from from html paper?
edit3:
my bad i didnt read tutorial carefully
this topic is covered, but still it is an interesting type of vulnearability |
|
_________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|