hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : PHP 4.x Session Spoofing
Reply

Hosting Security and Technology Configuring and optimizing web hosting servers and operating systems, developing administration scripts, building servers, protecting against hackers, and general security (SSL certificates, etc.)
Forum Jump

PHP 4.x Session Spoofing

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 01-18-2002, 02:30 AM
Mafukie Mafukie is offline
Junior Guru Wannabe
  
Join Date: Feb 2001
Posts: 45
Red face

PHP 4.x Session Spoofing

I read about this exploit on neworder
http://neworder.box.sk/showme.php3?id=6058

it shows the problem, and gives a solution

__________________
-Mafukie

Reply With Quote


Sponsored Links
  #2  
Old 01-18-2002, 04:16 AM
priyadi priyadi is offline
Registered User
  
Join Date: Apr 2001
Location: Depok, Indonesia
Posts: 986
A better way would be to use PHP in CGI mode (+suexec) and store all session information inside users' home directory. However this requires every user has their own php.ini file.

Reply With Quote
  #3  
Old 01-18-2002, 01:09 PM
zupanm zupanm is offline
Web Hosting Master
  
Join Date: Dec 2001
Location: NYC, NY
Posts: 798
actually their workaround is the best solution.. Just make a dir to store the sessions and only allow the apache user to get in and read write to that dir.

Reply With Quote
Sponsored Links
  #4  
Old 01-18-2002, 01:22 PM
Ahmad Ahmad is offline
Web Hosting Master
  
Join Date: Jan 2002
Location: Kuwait
Posts: 679
Quote:
Originally posted by zupanm
actually their workaround is the best solution.. Just make a dir to store the sessions and only allow the apache user to get in and read write to that dir.
I would say:

allow the apache user to only get in and read write to that dir.

The idea is that the Apache user shouldn't be able to list the contents of the directory.

However, that provided solution doesn't stop anybody on the server from getting direct and full access to other users' sessions if they get to know the sessions id.

The solution provided by 'priyadi' is better and good for solving other problems too, like everybodies ability to directly read others' PHP files containing DB passwords

<<UPDATE:

sessionid's that are incorporated into the URL's (like in this forum) can be easily extracted from the httpd's logs, to solve this, you must give the httpd user ONLY WRITE ACCESS to the log files, and NO READ ACCESS.

You must also note that if you take read access to the logs away from the httpd user, you must make sure that log analizers will run in a different way, allowing them to get read access to the files.

>>

Last edited by Ahmad; 01-18-2002 at 01:32 PM.
Reply With Quote
  #5  
Old 01-18-2002, 02:34 PM
priyadi priyadi is offline
Registered User
  
Join Date: Apr 2001
Location: Depok, Indonesia
Posts: 986
Quote:
Originally posted by ahmadhash

sessionid's that are incorporated into the URL's (like in this forum) can be easily extracted from the httpd's logs, to solve this, you must give the httpd user ONLY WRITE ACCESS to the log files, and NO READ ACCESS.
Write access to httpd logs for httpd user is even not needed, since log files are opened by Apache parent process, which is always running as root user. As long as the log files are writable by root, it should be ok.

Reply With Quote
  #6  
Old 01-18-2002, 03:25 PM
Ahmad Ahmad is offline
Web Hosting Master
  
Join Date: Jan 2002
Location: Kuwait
Posts: 679
Thanks for the correction priyadi,
that's even better

Reply With Quote
Reply

Related posts from TheWhir.com
Title Type Date Posted
Learn How to Scale Your Business - Join Us In Wednesday’s Webinar Blog 2011-12-06 20:29:17
Attend Today’s Cloud Security Webinar with Dome9 Blog 2011-10-11 14:54:27
Sign up for Thursday’s Dell Webinar on Right-Sizing IT for Density and Profit Blog 2011-09-20 21:27:44
Join Tomorrow’s Webinar on OpenStack and Dell’s Crowbar Blog 2011-08-24 22:12:52
Check out Last Week’s Excellent Webinar with Endurance and Litle in the Archive Blog 2011-06-03 20:52:18


« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:

US Attorney says Government Should Have Warrants to Search Email

8kMiles Acquires Cloud Security Firm FuGen Solutions for $7.5 Million

Name.com Resets Customer Passwords After Security Breach

Outbound Spam Causing Sleepless Nights?

Malwarebytes Launches Data Scan-and-Backup Service

Commtouch Report: Spam, Malware Continues to Increase in Q1 2013

Researchers Urge System Admins to Check for New Apache Web Server Backdoor Malware

APWG Study Finds Phishers Increasingly Target Shared Virtual Servers

Man Arrested in Connection to Spamhaus DDoS Attacks

Cisco Researcher Discovers Possible Exploit Vector for DarkLeech Attacks



 

Learn more about advertising opportunities across the iNET Interactive Network.

LiquidWeb
X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?