Waraxe IT Security Portal
Login or Register
November 21, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 71
Members: 0
Total: 71
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Php -> about PHP Security Consortium (phpsec.org) and sessions
Post new topicReply to topic View previous topic :: View next topic
about PHP Security Consortium (phpsec.org) and sessions
PostPosted: Fri May 13, 2005 12:50 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




sessions part: http://phpsec.org/projects/guide/4.html

i think their advice about sessions is not talked fully and may lead to
pitfalls (many people dont bother to think self). sessions are a difficult subject since there are many attack vectors. session ids must be real unique (random).. since with "online users" lists it may be possible to get a ammount of time which sessions ids might have been generated (refer to phpbb 2.0.15 changelog, for a bug same as this - which by fate was discovered by me) and secondly, in my opinion securing the session tokens from getting stolen should be priority.
thirdly a pitfall that i almost fell reading phpsec.org was that users should not
be able to create sessions for themselves. i mean - if there isnt a valid session - create it within script, dont create sessions with user submitted token. i made the test with their script locally. when i
made the custom sessions handler with mysql like theirs (http://phpsec.org/projects/guide/5.html).
i couldnt help noticing that when i go to page.php?PHPSESSID=customsession then i get a entry like that in DB.
but now when i say to admin that: "hey login and check PM i send ya" at
www.example.com?PHPSESSID=mysess , when admin has logged in then all i have to do is visit page using same session id myself.

[edit]
and setting a cookie to other domains are allowed for firefox, so this action
could be done much less obious
[/edit]

just read, think and practice everything before you put something to use.

Smile

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri May 13, 2005 3:57 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




very interesting Cool
View user's profile Send private message Visit poster's website
PostPosted: Fri May 13, 2005 10:06 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




yes, i was missing a thing there that this "cross site session hijacking"
is only possible when upon authendication a new session id is *not* generated.

heres the case:
victim visits a malicious site, which sets a cookie to him. cookie contains a session id that has been generated before by attacker. (attacker can generate a valid session id by visiting the site self for example).
when the user has the cookie then by visiting the original site he hijacks
attackers session without self knowing it. when victim is in attacers session
then he logins - and when login doesnt generate a new session id then attacker can use the same session id. now when phpbb developers would have listened phpsec.org and used only User-Agent as "fixer" then they would have been vulnearable to this (only with difference that attacker has to know what browser and maybe computer admin is using). Cool

[edit]
i sent a mail to phpsec.org about it
[/edit]

more new info:
the phpsec.org-s authors book covers this topic perfectly, but why is it left out from from html paper? Sad

edit3:

my bad i didnt read tutorial carefully
this topic is covered, but still it is an interesting type of vulnearability

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
about PHP Security Consortium (phpsec.org) and sessions
www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.048 Seconds