Vulnerability Development mailing list archives
Re: php / phplib session-id generation
From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Thu, 5 Jul 2001 11:18:13 -0400 (EDT)
On Thu, 5 Jul 2001, Jarno Huuskonen wrote:
What methods could attacker use to determine the time on the server ? Use ntp if the server has ntp-server... What about tcp-timestamps could they be used for determining the time ?
no need to even go that far. just look (manually) through your HTTP return headers: $ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. head / http/1.0 HTTP/1.1 501 Method Not Implemented Date: Thu, 05 Jul 2001 15:16:04 GMT [snip] :) now you know the time and the delta from you down to the second. you know the rest. it turns out the the method commonly employed by PHP apps for 'random filenames' isn't so random after all (MD5 of user supplied input concatenated with the time, ie a hash of a known with something deterministic). ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Current thread:
- php / phplib session-id generation Jarno Huuskonen (Jul 05)
- Re: php / phplib session-id generation Jose Nazario (Jul 05)
- Re: php / phplib session-id generation Kevin Fu (Jul 05)