OK, I have questions.

A session *file* is created, but it is empty. I know of only one way to get
data into it, that is through a session variable. Session variables are
controlled by the programmer, so unless the programmer is careless with
their validation or register_globals setting, I don't see how anything
harmful can get into the empty session file.

The empty file will get cleaned up by garbage collection, like any other
session file.

I guess this could be a DOS attack, by filling up the inode space in /tmp,
or making a really big table if the sessions are stored in the database.

Anyone can easily get the name of a legitimate session file, so I don't see
how things are worse off by creating a session file with a certain name.

So, yes, I guess I do need more! :)


> -----Original Message-----
> From: Giancarlo Pinerolo [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 07, 2002 1:44 AM
> Subject: [PHP] the ?PHPSESSID=spoofme 'bug'
> Can I tell you more than what the subject says?
> proceeding:
> Close the browser, clean all your cookies, and open any page with that
> ?PHPSESSID=spoofme appended.
> And see what  happens.
> 1) No cookies are left
> 2) a session 'spoofme' is created
> Do you need more? Javascript url injection ad cross site scripting
> become obsolete with this 'feature'.
> PLS!
> I mean, as the zend site doesn't quite work like this (do the 
> same test
> proceeding as described above...) 
> Their session to append to your cookie-enabled browser location are
> Zend_Session_DB=whatever and Zend_Session_DB_SECURE=whatever2 on their
> login page.
> I don't know if this is related to the free downloadable version, and
> the one they sell and adopt is more 'fortified'... they should clearly
> state it then!
> Gian

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to