Mafukie
01-18-2002, 02:30 AM
I read about this exploit on neworder
http://neworder.box.sk/showme.php3?id=6058
it shows the problem, and gives a solution
http://neworder.box.sk/showme.php3?id=6058
it shows the problem, and gives a solution
 | View Full Version : PHP 4.x Session Spoofing priyadi 01-18-2002, 04:16 AM A better way would be to use PHP in CGI mode (+suexec) and store all session information inside users' home directory. However this requires every user has their own php.ini file. zupanm 01-18-2002, 01:09 PM actually their workaround is the best solution.. Just make a dir to store the sessions and only allow the apache user to get in and read write to that dir. Ahmad 01-18-2002, 01:22 PM Originally posted by zupanm actually their workaround is the best solution.. Just make a dir to store the sessions and only allow the apache user to get in and read write to that dir. I would say: allow the apache user to only get in and read write to that dir. The idea is that the Apache user shouldn't be able to list the contents of the directory. However, that provided solution doesn't stop anybody on the server from getting direct and full access to other users' sessions if they get to know the sessions id. The solution provided by 'priyadi' is better and good for solving other problems too, like everybodies ability to directly read others' PHP files containing DB passwords :eek: <<UPDATE: sessionid's that are incorporated into the URL's (like in this forum) can be easily extracted from the httpd's logs, to solve this, you must give the httpd user ONLY WRITE ACCESS to the log files, and NO READ ACCESS. You must also note that if you take read access to the logs away from the httpd user, you must make sure that log analizers will run in a different way, allowing them to get read access to the files. >> priyadi 01-18-2002, 02:34 PM Originally posted by ahmadhash sessionid's that are incorporated into the URL's (like in this forum) can be easily extracted from the httpd's logs, to solve this, you must give the httpd user ONLY WRITE ACCESS to the log files, and NO READ ACCESS. Write access to httpd logs for httpd user is even not needed, since log files are opened by Apache parent process, which is always running as root user. As long as the log files are writable by root, it should be ok. Ahmad 01-18-2002, 03:25 PM Thanks for the correction priyadi, that's even better :) |