Re: [PEN-TEST] E-Commerce Merchant Penetration Observations

[Shaun Clowes <shaman () PROGSOC UTS EDU AU>]

Hi Ben,

I too have been doing some security auditing of PHP and I've got some
interesting things to say about it, but I'll save that advisory for
another day :)

>     Well I'm sitting here trying to meet my deadline of 10 am (heh
> coding for 32 hours straight makes your brain hurt)...  Anyhow I'm
> creating an E-Commerce engine for one of our clients using php (ver. 4
> patch release 2).  One of the techniques I'm using of course is sessions
> (see www.php.net's manual on sessions for a detailed description).
> Anyway, I was in the middle of creating a gawk/bash script to do a
> search/replace on a bunch of files and copied the files temporarily into
> /tmp.  Well while doing this I saw allot of files called sess_* (ex..
> sess_a0s9821098b098109s8019830129).

Yerp, sessions are recorded in a file, thats how they remain
persistent. They're recorded in the directory PHP is told to store
temporary files in by default, but admins can install different backends
to the session engine. The one that comes to mind is a MySQL backend I saw
on Freshmeat.

Anyways, this is only really a problem on multi user systems, but PHP
installed as anything other than CGI with suEXEC on a multi user system is
probably asking for trouble anyway.

You can't modify the data in a session that is currently open, but you
can modify data in sessions that aren't currently open by an executing PHP
script.

The files are removed automatically after a certain amount of time
(configured in the php configuration) anyway.

Cheers,
Shaun