[PHP] SESSION Security

2002-08-14 Thread Sascha Braun 

Is it possible that someone from outside can read the session stored
on my webserver for getting unencrypted password and usernames?

Schura

Re: [PHP] SESSION Security

2002-08-14 Thread Ilia A. 

If a person 'somehow' gains read access to the directory where the sessions 
are stored on your server, then yes it is possible for them to get the 
session id.

Ilia

On August 14, 2002 06:41 pm, Sascha Braun wrote:
 Is it possible that someone from outside can read the session stored
 on my webserver for getting unencrypted password and usernames?

 Schura


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSION Security

2002-08-14 Thread Sascha Braun 

So, if somebody gets an ftp account somehow, he will be able to get session
vars via a system() command?


- Original Message -
From: Ilia A. [EMAIL PROTECTED]
To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste
[EMAIL PROTECTED]
Sent: Thursday, August 15, 2002 1:27 AM
Subject: Re: [PHP] SESSION Security


 If a person 'somehow' gains read access to the directory where the
sessions
 are stored on your server, then yes it is possible for them to get the
 session id.

 Ilia

 On August 14, 2002 06:41 pm, Sascha Braun wrote:
  Is it possible that someone from outside can read the session stored
  on my webserver for getting unencrypted password and usernames?
 
  Schura


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSION Security

2002-08-14 Thread Ilia A. 

On August 14, 2002 07:03 pm, Sascha Braun wrote:
 So, if somebody gets an ftp account somehow, he will be able to get session
 vars via a system() command?

If their FTP client allows them to go into the directory where session ids are 
stored, then that user will be able to see current session ids. On most 
servers FTP clients are setup to only allow user access to their own home 
directory.

Ilia



 - Original Message -
 From: Ilia A. [EMAIL PROTECTED]
 To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste
 [EMAIL PROTECTED]
 Sent: Thursday, August 15, 2002 1:27 AM
 Subject: Re: [PHP] SESSION Security

  If a person 'somehow' gains read access to the directory where the

 sessions

  are stored on your server, then yes it is possible for them to get the
  session id.
 
  Ilia
 
  On August 14, 2002 06:41 pm, Sascha Braun wrote:
   Is it possible that someone from outside can read the session stored
   on my webserver for getting unencrypted password and usernames?
  
   Schura
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSION Security

2002-08-14 Thread Sascha Braun 

So, the system() command allows a user only to start services in his own
home direktory?




- Original Message -
From: Ilia A. [EMAIL PROTECTED]
To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste
[EMAIL PROTECTED]
Sent: Thursday, August 15, 2002 1:36 AM
Subject: Re: [PHP] SESSION Security


 On August 14, 2002 07:03 pm, Sascha Braun wrote:
  So, if somebody gets an ftp account somehow, he will be able to get
session
  vars via a system() command?

 If their FTP client allows them to go into the directory where session ids
are
 stored, then that user will be able to see current session ids. On most
 servers FTP clients are setup to only allow user access to their own home
 directory.

 Ilia

 
 
  - Original Message -
  From: Ilia A. [EMAIL PROTECTED]
  To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste
  [EMAIL PROTECTED]
  Sent: Thursday, August 15, 2002 1:27 AM
  Subject: Re: [PHP] SESSION Security
 
   If a person 'somehow' gains read access to the directory where the
 
  sessions
 
   are stored on your server, then yes it is possible for them to get the
   session id.
  
   Ilia
  
   On August 14, 2002 06:41 pm, Sascha Braun wrote:
Is it possible that someone from outside can read the session stored
on my webserver for getting unencrypted password and usernames?
   
Schura
  
   --
   PHP General Mailing List (http://www.php.net/)
   To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSION Security

2002-08-14 Thread Ilia A. 

On August 14, 2002 07:12 pm, Sascha Braun wrote:
 So, the system() command allows a user only to start services in his own
 home direktory?


Uhm... I am a little confused, how does system() command relate to FTP access?

Ilia




 - Original Message -
 From: Ilia A. [EMAIL PROTECTED]
 To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste
 [EMAIL PROTECTED]
 Sent: Thursday, August 15, 2002 1:36 AM
 Subject: Re: [PHP] SESSION Security

  On August 14, 2002 07:03 pm, Sascha Braun wrote:
   So, if somebody gets an ftp account somehow, he will be able to get

 session

   vars via a system() command?
 
  If their FTP client allows them to go into the directory where session
  ids

 are

  stored, then that user will be able to see current session ids. On most
  servers FTP clients are setup to only allow user access to their own home
  directory.
 
  Ilia
 
   - Original Message -
   From: Ilia A. [EMAIL PROTECTED]
   To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste
   [EMAIL PROTECTED]
   Sent: Thursday, August 15, 2002 1:27 AM
   Subject: Re: [PHP] SESSION Security
  
If a person 'somehow' gains read access to the directory where the
  
   sessions
  
are stored on your server, then yes it is possible for them to get
the session id.
   
Ilia
   
On August 14, 2002 06:41 pm, Sascha Braun wrote:
 Is it possible that someone from outside can read the session
 stored on my webserver for getting unencrypted password and
 usernames?

 Schura
   
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSION Security

2002-08-14 Thread Bas Jobsen 


Op donderdag 15 augustus 2002 01:03, schreef u:
 So, if somebody gets an ftp account somehow, he will be able to get session
 vars via a system() command?

You holds him in its own dir by the chroot setting of you ftpserver.
 via a system();
you mean if they upload a php file?
prevent that with your php.ini settings:

open_basedir string:  Limit the files that can be opened by PHP to the 
specified directory-tree.
or
safe_mode boolean
  Whether to enable PHP's safe mode. Read the Security and Safe Mode chapters 
for more information. 

if you allow cgi, you must built the same sort restrictions for that too. 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Fw: [PHP] SESSION Security

2002-08-14 Thread Sascha Braun 

 Yeah,

 I guess I meant that! - The Attacker just needs to upload a nice PHP Script
 wich is able to spy all serverpathes, maybe via phpinfo() and then open
each
 file stored in the session tmp path via dir_list() funktion, hope this was
 the right funktion, but there are some, with php it's easy to browse the
 hole server i think, via the file funktions.

 Puh, I'm sweating to much...

 hard to write.

 Schura


 - Original Message -
 From: Bas Jobsen [EMAIL PROTECTED]
 To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste
 [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Sent: Thursday, August 15, 2002 12:30 AM
 Subject: Re: [PHP] SESSION Security


 
  Op donderdag 15 augustus 2002 01:03, schreef u:
   So, if somebody gets an ftp account somehow, he will be able to get
 session
   vars via a system() command?
 
  You holds him in its own dir by the chroot setting of you ftpserver.
   via a system();
  you mean if they upload a php file?
  prevent that with your php.ini settings:
 
  open_basedir string:  Limit the files that can be opened by PHP to the
  specified directory-tree.
  or
  safe_mode boolean
Whether to enable PHP's safe mode. Read the Security and Safe Mode
 chapters
  for more information.
 
  if you allow cgi, you must built the same sort restrictions for that
too.
 
  
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php
 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] session security

2002-06-02 Thread Giancarlo Pinerolo 

Why can a user force php to create a session he's giving the name in the
URL?
Do you want me to list an half a dozen ways to get rich now with this
holes?
Does anyone understand the malice of this? 
Anyone can offer you a click on a session he's going to visit later and
hijack from you?
Anyone can post data in a black hole of his own and pass it around
secretly?
Anyone can place precise strings in a precise file location on a server?
How is it that a user can force to have any session string, passed in
the URL, being created, even when cookies are fully funcional and
enabled?
Is it possible that there is no policy on creating a new session? There
so much fuzz about register_globals, and we let the user create the
sessions they want?
Shouldn't we check that's us who issued the ticket? 

How is it that I cannot find a decent reply to these questions?

Giancarlo

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] session security issue

2001-08-16 Thread Renze Munnik 

On Wed, Aug 15, 2001 at 10:52:33PM -0300, Christian Dechery wrote:
 $HTTP_SERVER_VARS{SSL_SESSION_ID}
 
 Another thing I found with phpinfo() is
 $HTTP_SERVER_VARS{UNIQUE_ID}. I don't know (yet) was it is, but it
 sounds usable, doesn't it?
 
 sure it does... but first we need to know exactly what it is anyone?

Well I don't... but I _do_ know it's _really_ unique. It's never
the same. So actually I don't really know what to do with it.
Although probably at some time something will come up where one
would need it. I think.
To be short... FAIK it's exactly what's called: a unique ID.

-- 

* RzE:

-- 
-- Renze Munnik
-- DataLink BV
--
-- E: [EMAIL PROTECTED]
-- W: +31 23 5326162
-- F: +31 23 5322144
-- M: +31 6 21811143
-- H: +31 23 5516190
--
-- Stationsplein 82
-- 2011 LM  HAARLEM
--
-- http://www.datalink.nl
-- 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] session security issue

2001-08-15 Thread Renze Munnik 

On Tue, Aug 14, 2001 at 02:32:03PM -0700, David Price wrote:
 Sean,
 
 That is a very interesting suggestion.  How would you call that using PHP?
 
 Thanks,
 
 David Price


$HTTP_SERVER_VARS{SSL_SESSION_ID}

Another thing I found with phpinfo() is
$HTTP_SERVER_VARS{UNIQUE_ID}. I don't know (yet) was it is, but it
sounds usable, doesn't it?

-- 

* RzE:

-- 
-- Renze Munnik
-- DataLink BV
--
-- E: [EMAIL PROTECTED]
-- W: +31 23 5326162
-- F: +31 23 5322144
-- M: +31 6 21811143
-- H: +31 23 5516190
--
-- Stationsplein 82
-- 2011 LM  HAARLEM
--
-- http://www.datalink.nl
-- 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] session security issue

2001-08-15 Thread speedboy 

You need to check against a value that was registered as a session
variable. There is no use in checking if some SSL variable is set. Here's
a simplified version of my check_session function that I run at the top of
every page that requires a session to be established.

I also write to the session file on every click. This lets me know howmany
sessions are actually active. I have a session deletion script that runs
every minute to check the date of the session file, if it's older than a
defined time it will remove the session file.

The session deletion script is available at http://database.sf.net/

Any other ideas to make a session more secure?

function check_session() {
session_start();

if (session_is_registered(user_id)) {
return TRUE;
} else {
header(Location: login.php);
exit;
}
}


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] session security issue

2001-08-14 Thread Christian Dechery 

I have pages that uses session for security that looks something like this:

?php
session_start();

if( !isset($uid) )
{
include(include/auth.inc.php);
auth_user();
}

more code...
?

so $uid tells me if the user is logged on or not...

but what if somebody calls the script directly from the address bar like 
this: http://server/script.php?uid=10

wouldn't this be a security problem?

. Christian Dechery (lemming)
. http://www.tanamesa.com.br
. Gaita-L Owner / Web Developer


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] session security issue

2001-08-14 Thread Renze Munnik 

On Tue, Aug 14, 2001 at 08:42:22AM -0300, Christian Dechery wrote:
 I have pages that uses session for security that looks something like this:
 
 ?php
   session_start();
 
   if( !isset($uid) )
   {
   include(include/auth.inc.php);
   auth_user();
   }
 
   more code...
 ?
 
 so $uid tells me if the user is logged on or not...
 
 but what if somebody calls the script directly from the address bar like 
 this: http://server/script.php?uid=10
 
 wouldn't this be a security problem?


Christian,

This can indeed be a security issue. Try using
$HTTP_SESSION_VARS{uid} instead. It's a saver solution. Then one
cannot just use ?uid=10 in order to fool you. At least, not in that
way.

-- 

* RzE:

-- 
-- Renze Munnik
-- DataLink BV
--
-- E: [EMAIL PROTECTED]
-- W: +31 23 5326162
-- F: +31 23 5322144
-- M: +31 6 21811143
-- H: +31 23 5516190
--
-- Stationsplein 82
-- 2011 LM  HAARLEM
--
-- http://www.datalink.nl
-- 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] session security issue

2001-08-14 Thread Tim 

If you test $HTTP_SESSION_VARS[uid] instead, you'll know that it came
from a session and not from a GET variable.

- Tim

On 14 Aug 2001 08:42:22 -0300, Christian Dechery wrote:
 I have pages that uses session for security that looks something like this:
 
 ?php
   session_start();
 
   if( !isset($uid) )
   {
   include(include/auth.inc.php);
   auth_user();
   }
 
   more code...
 ?
 
 so $uid tells me if the user is logged on or not...
 
 but what if somebody calls the script directly from the address bar like 
 this: http://server/script.php?uid=10



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] session security issue

2001-08-14 Thread Sean C. McCarthy 

Hi,

For security use SSL and get the SSLSession ID instead. This cannot be
fooled since it is based in PK handshake and with simetric encryption.

Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)

Christian Dechery wrote:
 
 I have pages that uses session for security that looks something like this:
 
 ?php
 session_start();
 
 if( !isset($uid) )
 {
 include(include/auth.inc.php);
 auth_user();
 }
 
 more code...
 ?
 
 so $uid tells me if the user is logged on or not...
 
 but what if somebody calls the script directly from the address bar like
 this: http://server/script.php?uid=10
 
 wouldn't this be a security problem?
 
 . Christian Dechery (lemming)
 . http://www.tanamesa.com.br
 . Gaita-L Owner / Web Developer
 
 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] session security issue

2001-08-14 Thread David Price 

Sean,

That is a very interesting suggestion.  How would you call that using PHP?

Thanks,

David Price

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Sean C. McCarthy
Sent: Tuesday, August 14, 2001 6:12 AM
To: Christian Dechery
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] session security issue


Hi,

For security use SSL and get the SSLSession ID instead. This cannot be
fooled since it is based in PK handshake and with simetric encryption.

Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)

Christian Dechery wrote:

 I have pages that uses session for security that looks something like
this:

 ?php
 session_start();

 if( !isset($uid) )
 {
 include(include/auth.inc.php);
 auth_user();
 }

 more code...
 ?

 so $uid tells me if the user is logged on or not...

 but what if somebody calls the script directly from the address bar like
 this: http://server/script.php?uid=10

 wouldn't this be a security problem?
 
 . Christian Dechery (lemming)
 . http://www.tanamesa.com.br
 . Gaita-L Owner / Web Developer

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]