Vulnerability Development mailing list archives

Re: php / phplib session-id generation

From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Thu, 5 Jul 2001 11:18:13 -0400 (EDT)

On Thu, 5 Jul 2001, Jarno Huuskonen wrote:

What methods could attacker use to determine the time on the server ?
Use ntp if the server has ntp-server... What about tcp-timestamps
could they be used for determining the time ?


no need to even go that far. just look (manually) through your HTTP return
headers:

$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
head / http/1.0

HTTP/1.1 501 Method Not Implemented
Date: Thu, 05 Jul 2001 15:16:04 GMT

[snip]

:) now you know the time and the delta from you down to the second.

you know the rest. it turns out the the method commonly employed by PHP
apps for 'random filenames' isn't so random after all (MD5 of user
supplied input concatenated with the time, ie a hash of a known with
something deterministic).

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

Current thread:

php / phplib session-id generation Jarno Huuskonen (Jul 05)
- Re: php / phplib session-id generation Jose Nazario (Jul 05)
- Re: php / phplib session-id generation Kevin Fu (Jul 05)