WebApp Sec mailing list archives
Re: PHP session management
From: Tommy Gildseth <gildseth () start no>
Date: Sun, 26 Oct 2003 15:06:35 +0100
Gavin Zuchlinski wrote:
Hi,I noticed on a server how PHP creates files in /tmp in the form sess_XXXXXXXXX to store session information (of course only readable by the apache user),
This isn't really a problem to bypass. If someones got local access, it's likely they will have access to some sort of webfolder, wether that be a virtualhost, or homedirs(www.foo.com/~username), you can easily access the information stored in the session with a script like this:
<?php session_start(); print_r($_SESSION); ?> And accessing that script with: sesscontent.php?PHPSESSID=<session_id>PHP doesn't seem to maintain any information about which users webarea "owns" the session.
but "XXXXXXXXX" is the actual session ID. If a person has a local access to a system using PHP's session management, aren't they able to hijack any session?
Yes, they can.
Current thread:
- PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Matt Rohrer (Oct 26)
- Re: PHP session management Tommy Gildseth (Oct 26)
- Re: PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Hokkaido (Oct 27)
- Re: PHP session management Gavin Zuchlinski (Oct 27)
- Re: PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Boris Penck (Oct 27)
- Re: PHP session management weigelt (Oct 28)
- Re: PHP session management Ivan Ristic (Oct 28)
- Re: PHP session management weigelt (Oct 28)
- <Possible follow-ups>
- RE: PHP session management Tyler Larson (Oct 27)