[PHP] A security thing or just sessions working?
Hi I had a problem with what my host called a spate of insecure PHP applications being used to upload proxying applications which I think has been solved, however I've just spotted this when trying to validate my HTML: form action=abc.php4 method=postinput type=hidden name=PHPSESSID value=aada9a6f795cb72df1ef8b8f61d2715c /div class=secondColThirdinput type=submit value=register/div/form The HTML validator wants the input type to be within the div. Problem is, I didn't put the input type=hidden name=PHPSESSID value=aada9a6f795cb72df1ef8b8f61d2715c / in there, it's just appeared. So. Should it be there? Is this just sessions working like they should? I've never seen it before. Or have I got Russian Big Boobs all over again :-) J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] A security thing or just sessions working?
Hi I had a problem with what my host called a spate of insecure PHP applications being used to upload proxying applications which I think has been solved, however I've just spotted this when trying to validate my HTML: form action=abc.php4 method=postinput type=hidden name=PHPSESSID value=aada9a6f795cb72df1ef8b8f61d2715c /div class=secondColThirdinput type=submit value=register/div/form The HTML validator wants the input type to be within the div. Problem is, I didn't put the input type=hidden name=PHPSESSID value=aada9a6f795cb72df1ef8b8f61d2715c / in there, it's just appeared. So. Should it be there? Is this just sessions working like they should? I've never seen it before. Or have I got Russian Big Boobs all over again :-) Oh, I just put the site onto a different server on a different host and didn't get the PHPSESSID thing inserted. J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] A security thing or just sessions working?
Hi I had a problem with what my host called a spate of insecure PHP applications being used to upload proxying applications which I think has been solved, however I've just spotted this when trying to validate my HTML: form action=abc.php4 method=postinput type=hidden name=PHPSESSID value=aada9a6f795cb72df1ef8b8f61d2715c /div class=secondColThirdinput type=submit value=register/div/form The HTML validator wants the input type to be within the div. Problem is, I didn't put the input type=hidden name=PHPSESSID value=aada9a6f795cb72df1ef8b8f61d2715c / in there, it's just appeared. So. Should it be there? Is this just sessions working like they should? I've never seen it before. Or have I got Russian Big Boobs all over again :-) Oh, I just put the site onto a different server on a different host and .. I've taken another look, I did get the PHPSESSID thing inserted, so I guess it's standard stuff. J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A security thing or just sessions working?
[EMAIL PROTECTED] wrote: Hi I had a problem with what my host called a spate of insecure PHP applications being used to upload proxying applications which I think has been solved, however I've just spotted this when trying to validate my HTML: form action=abc.php4 method=postinput type=hidden name=PHPSESSID value=aada9a6f795cb72df1ef8b8f61d2715c /div class=secondColThirdinput type=submit value=register/div/form The HTML validator wants the input type to be within the div. Problem is, I didn't put the input type=hidden name=PHPSESSID value=aada9a6f795cb72df1ef8b8f61d2715c / in there, it's just appeared. So. Should it be there? Is this just sessions working like they should? I've never seen it before. Or have I got Russian Big Boobs all over again :-) Oh, I just put the site onto a different server on a different host and .. I've taken another look, I did get the PHPSESSID thing inserted, so I guess it's standard stuff. Looks like someone may have manipulated your pages to make them vulnerable to session fixation attacks. This is where they'll define a preset PHPSESSID that'll be used when you start your session on the next page. The PHPSESSID is supposed to be unique and hard to guess, but using this method, now they'll know what the ID is and it'll be easy for them to craft a session cookie with the same value and take over your session. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
