WebApp Sec mailing list archives

Re: PHP session management

From: "Hokkaido" <hokkaido () serverart org>
Date: Mon, 27 Oct 2003 13:15:44 -0000

Gavin Zuchlinski <gzuchlinski () pgsit org> said:

On Sunday 26 October 2003 09:06 am, you wrote:

This isn't really a problem to bypass. If someones got local access,
it's likely they will have access to some sort of webfolder, wether that
be a virtualhost, or homedirs(www.foo.com/~username), you can easily
access the information stored in the session with a script like this:

Just to throw this out in the air, if you would create a directory that was 
readable and writeable only to apache cookies could be (semi)securely stored 
there. Then using safe mode and openbasedir writing a script to find the file 
names wouldnt work. All this assumes that PHP is the only scripting language 
though. So what it would come down to is a cross site scripting like attack 
using the what Tommy Gildseth mentioned.
Alright, now poke holes in my idea.

-Gavin
http://libox.net/




-- 

This is suggested as a workaround at
http://www.securityfocus.com/archive/1/250196.

Hokkaido




------------------------------------------------------------------
  This email was checked by AMaViS anti-virus system !
  Get yourself a free email address at http://mail.serverart.org

Current thread:

PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Matt Rohrer (Oct 26)
- Re: PHP session management Tommy Gildseth (Oct 26)
  - Re: PHP session management Gavin Zuchlinski (Oct 26)
    - Re: PHP session management Hokkaido (Oct 27)
  - Re: PHP session management Gavin Zuchlinski (Oct 27)
- Re: PHP session management Boris Penck (Oct 27)
  - Re: PHP session management weigelt (Oct 28)
    - Re: PHP session management Ivan Ristic (Oct 28)
- <Possible follow-ups>
- RE: PHP session management Tyler Larson (Oct 27)