Penetration Testing mailing list archives
Re: [PEN-TEST] E-Commerce Merchant Penetration Observations
From: Shaun Clowes <shaman () PROGSOC UTS EDU AU>
Date: Fri, 25 Aug 2000 10:23:19 +1000
Hi Ben, I too have been doing some security auditing of PHP and I've got some interesting things to say about it, but I'll save that advisory for another day :)
Well I'm sitting here trying to meet my deadline of 10 am (heh coding for 32 hours straight makes your brain hurt)... Anyhow I'm creating an E-Commerce engine for one of our clients using php (ver. 4 patch release 2). One of the techniques I'm using of course is sessions (see www.php.net's manual on sessions for a detailed description). Anyway, I was in the middle of creating a gawk/bash script to do a search/replace on a bunch of files and copied the files temporarily into /tmp. Well while doing this I saw allot of files called sess_* (ex.. sess_a0s9821098b098109s8019830129).
Yerp, sessions are recorded in a file, thats how they remain persistent. They're recorded in the directory PHP is told to store temporary files in by default, but admins can install different backends to the session engine. The one that comes to mind is a MySQL backend I saw on Freshmeat. Anyways, this is only really a problem on multi user systems, but PHP installed as anything other than CGI with suEXEC on a multi user system is probably asking for trouble anyway. You can't modify the data in a session that is currently open, but you can modify data in sessions that aren't currently open by an executing PHP script. The files are removed automatically after a certain amount of time (configured in the php configuration) anyway. Cheers, Shaun
Current thread:
- [PEN-TEST] E-Commerce Merchant Penetration Observations Ben Lull (Aug 24)
- Re: [PEN-TEST] E-Commerce Merchant Penetration Observations Shaun Clowes (Aug 26)