[PHP] SESSION Security
Is it possible that someone from outside can read the session stored on my webserver for getting unencrypted password and usernames? Schura
Re: [PHP] SESSION Security
If a person 'somehow' gains read access to the directory where the sessions are stored on your server, then yes it is possible for them to get the session id. Ilia On August 14, 2002 06:41 pm, Sascha Braun wrote: Is it possible that someone from outside can read the session stored on my webserver for getting unencrypted password and usernames? Schura -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSION Security
So, if somebody gets an ftp account somehow, he will be able to get session vars via a system() command? - Original Message - From: Ilia A. [EMAIL PROTECTED] To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste [EMAIL PROTECTED] Sent: Thursday, August 15, 2002 1:27 AM Subject: Re: [PHP] SESSION Security If a person 'somehow' gains read access to the directory where the sessions are stored on your server, then yes it is possible for them to get the session id. Ilia On August 14, 2002 06:41 pm, Sascha Braun wrote: Is it possible that someone from outside can read the session stored on my webserver for getting unencrypted password and usernames? Schura -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSION Security
On August 14, 2002 07:03 pm, Sascha Braun wrote: So, if somebody gets an ftp account somehow, he will be able to get session vars via a system() command? If their FTP client allows them to go into the directory where session ids are stored, then that user will be able to see current session ids. On most servers FTP clients are setup to only allow user access to their own home directory. Ilia - Original Message - From: Ilia A. [EMAIL PROTECTED] To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste [EMAIL PROTECTED] Sent: Thursday, August 15, 2002 1:27 AM Subject: Re: [PHP] SESSION Security If a person 'somehow' gains read access to the directory where the sessions are stored on your server, then yes it is possible for them to get the session id. Ilia On August 14, 2002 06:41 pm, Sascha Braun wrote: Is it possible that someone from outside can read the session stored on my webserver for getting unencrypted password and usernames? Schura -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSION Security
So, the system() command allows a user only to start services in his own home direktory? - Original Message - From: Ilia A. [EMAIL PROTECTED] To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste [EMAIL PROTECTED] Sent: Thursday, August 15, 2002 1:36 AM Subject: Re: [PHP] SESSION Security On August 14, 2002 07:03 pm, Sascha Braun wrote: So, if somebody gets an ftp account somehow, he will be able to get session vars via a system() command? If their FTP client allows them to go into the directory where session ids are stored, then that user will be able to see current session ids. On most servers FTP clients are setup to only allow user access to their own home directory. Ilia - Original Message - From: Ilia A. [EMAIL PROTECTED] To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste [EMAIL PROTECTED] Sent: Thursday, August 15, 2002 1:27 AM Subject: Re: [PHP] SESSION Security If a person 'somehow' gains read access to the directory where the sessions are stored on your server, then yes it is possible for them to get the session id. Ilia On August 14, 2002 06:41 pm, Sascha Braun wrote: Is it possible that someone from outside can read the session stored on my webserver for getting unencrypted password and usernames? Schura -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSION Security
On August 14, 2002 07:12 pm, Sascha Braun wrote: So, the system() command allows a user only to start services in his own home direktory? Uhm... I am a little confused, how does system() command relate to FTP access? Ilia - Original Message - From: Ilia A. [EMAIL PROTECTED] To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste [EMAIL PROTECTED] Sent: Thursday, August 15, 2002 1:36 AM Subject: Re: [PHP] SESSION Security On August 14, 2002 07:03 pm, Sascha Braun wrote: So, if somebody gets an ftp account somehow, he will be able to get session vars via a system() command? If their FTP client allows them to go into the directory where session ids are stored, then that user will be able to see current session ids. On most servers FTP clients are setup to only allow user access to their own home directory. Ilia - Original Message - From: Ilia A. [EMAIL PROTECTED] To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste [EMAIL PROTECTED] Sent: Thursday, August 15, 2002 1:27 AM Subject: Re: [PHP] SESSION Security If a person 'somehow' gains read access to the directory where the sessions are stored on your server, then yes it is possible for them to get the session id. Ilia On August 14, 2002 06:41 pm, Sascha Braun wrote: Is it possible that someone from outside can read the session stored on my webserver for getting unencrypted password and usernames? Schura -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSION Security
Op donderdag 15 augustus 2002 01:03, schreef u: So, if somebody gets an ftp account somehow, he will be able to get session vars via a system() command? You holds him in its own dir by the chroot setting of you ftpserver. via a system(); you mean if they upload a php file? prevent that with your php.ini settings: open_basedir string: Limit the files that can be opened by PHP to the specified directory-tree. or safe_mode boolean Whether to enable PHP's safe mode. Read the Security and Safe Mode chapters for more information. if you allow cgi, you must built the same sort restrictions for that too. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Fw: [PHP] SESSION Security
Yeah, I guess I meant that! - The Attacker just needs to upload a nice PHP Script wich is able to spy all serverpathes, maybe via phpinfo() and then open each file stored in the session tmp path via dir_list() funktion, hope this was the right funktion, but there are some, with php it's easy to browse the hole server i think, via the file funktions. Puh, I'm sweating to much... hard to write. Schura - Original Message - From: Bas Jobsen [EMAIL PROTECTED] To: Sascha Braun [EMAIL PROTECTED]; PHP Mailingliste [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, August 15, 2002 12:30 AM Subject: Re: [PHP] SESSION Security Op donderdag 15 augustus 2002 01:03, schreef u: So, if somebody gets an ftp account somehow, he will be able to get session vars via a system() command? You holds him in its own dir by the chroot setting of you ftpserver. via a system(); you mean if they upload a php file? prevent that with your php.ini settings: open_basedir string: Limit the files that can be opened by PHP to the specified directory-tree. or safe_mode boolean Whether to enable PHP's safe mode. Read the Security and Safe Mode chapters for more information. if you allow cgi, you must built the same sort restrictions for that too. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] session security
Why can a user force php to create a session he's giving the name in the URL? Do you want me to list an half a dozen ways to get rich now with this holes? Does anyone understand the malice of this? Anyone can offer you a click on a session he's going to visit later and hijack from you? Anyone can post data in a black hole of his own and pass it around secretly? Anyone can place precise strings in a precise file location on a server? How is it that a user can force to have any session string, passed in the URL, being created, even when cookies are fully funcional and enabled? Is it possible that there is no policy on creating a new session? There so much fuzz about register_globals, and we let the user create the sessions they want? Shouldn't we check that's us who issued the ticket? How is it that I cannot find a decent reply to these questions? Giancarlo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session security issue
On Wed, Aug 15, 2001 at 10:52:33PM -0300, Christian Dechery wrote: $HTTP_SERVER_VARS{SSL_SESSION_ID} Another thing I found with phpinfo() is $HTTP_SERVER_VARS{UNIQUE_ID}. I don't know (yet) was it is, but it sounds usable, doesn't it? sure it does... but first we need to know exactly what it is anyone? Well I don't... but I _do_ know it's _really_ unique. It's never the same. So actually I don't really know what to do with it. Although probably at some time something will come up where one would need it. I think. To be short... FAIK it's exactly what's called: a unique ID. -- * RzE: -- -- Renze Munnik -- DataLink BV -- -- E: [EMAIL PROTECTED] -- W: +31 23 5326162 -- F: +31 23 5322144 -- M: +31 6 21811143 -- H: +31 23 5516190 -- -- Stationsplein 82 -- 2011 LM HAARLEM -- -- http://www.datalink.nl -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
On Tue, Aug 14, 2001 at 02:32:03PM -0700, David Price wrote: Sean, That is a very interesting suggestion. How would you call that using PHP? Thanks, David Price $HTTP_SERVER_VARS{SSL_SESSION_ID} Another thing I found with phpinfo() is $HTTP_SERVER_VARS{UNIQUE_ID}. I don't know (yet) was it is, but it sounds usable, doesn't it? -- * RzE: -- -- Renze Munnik -- DataLink BV -- -- E: [EMAIL PROTECTED] -- W: +31 23 5326162 -- F: +31 23 5322144 -- M: +31 6 21811143 -- H: +31 23 5516190 -- -- Stationsplein 82 -- 2011 LM HAARLEM -- -- http://www.datalink.nl -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
You need to check against a value that was registered as a session variable. There is no use in checking if some SSL variable is set. Here's a simplified version of my check_session function that I run at the top of every page that requires a session to be established. I also write to the session file on every click. This lets me know howmany sessions are actually active. I have a session deletion script that runs every minute to check the date of the session file, if it's older than a defined time it will remove the session file. The session deletion script is available at http://database.sf.net/ Any other ideas to make a session more secure? function check_session() { session_start(); if (session_is_registered(user_id)) { return TRUE; } else { header(Location: login.php); exit; } } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] session security issue
I have pages that uses session for security that looks something like this: ?php session_start(); if( !isset($uid) ) { include(include/auth.inc.php); auth_user(); } more code... ? so $uid tells me if the user is logged on or not... but what if somebody calls the script directly from the address bar like this: http://server/script.php?uid=10 wouldn't this be a security problem? . Christian Dechery (lemming) . http://www.tanamesa.com.br . Gaita-L Owner / Web Developer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
On Tue, Aug 14, 2001 at 08:42:22AM -0300, Christian Dechery wrote: I have pages that uses session for security that looks something like this: ?php session_start(); if( !isset($uid) ) { include(include/auth.inc.php); auth_user(); } more code... ? so $uid tells me if the user is logged on or not... but what if somebody calls the script directly from the address bar like this: http://server/script.php?uid=10 wouldn't this be a security problem? Christian, This can indeed be a security issue. Try using $HTTP_SESSION_VARS{uid} instead. It's a saver solution. Then one cannot just use ?uid=10 in order to fool you. At least, not in that way. -- * RzE: -- -- Renze Munnik -- DataLink BV -- -- E: [EMAIL PROTECTED] -- W: +31 23 5326162 -- F: +31 23 5322144 -- M: +31 6 21811143 -- H: +31 23 5516190 -- -- Stationsplein 82 -- 2011 LM HAARLEM -- -- http://www.datalink.nl -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
If you test $HTTP_SESSION_VARS[uid] instead, you'll know that it came from a session and not from a GET variable. - Tim On 14 Aug 2001 08:42:22 -0300, Christian Dechery wrote: I have pages that uses session for security that looks something like this: ?php session_start(); if( !isset($uid) ) { include(include/auth.inc.php); auth_user(); } more code... ? so $uid tells me if the user is logged on or not... but what if somebody calls the script directly from the address bar like this: http://server/script.php?uid=10 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
Hi, For security use SSL and get the SSLSession ID instead. This cannot be fooled since it is based in PK handshake and with simetric encryption. Sean C. McCarthy SCI, S.L. (www.sci-spain.com) Christian Dechery wrote: I have pages that uses session for security that looks something like this: ?php session_start(); if( !isset($uid) ) { include(include/auth.inc.php); auth_user(); } more code... ? so $uid tells me if the user is logged on or not... but what if somebody calls the script directly from the address bar like this: http://server/script.php?uid=10 wouldn't this be a security problem? . Christian Dechery (lemming) . http://www.tanamesa.com.br . Gaita-L Owner / Web Developer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] session security issue
Sean, That is a very interesting suggestion. How would you call that using PHP? Thanks, David Price -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sean C. McCarthy Sent: Tuesday, August 14, 2001 6:12 AM To: Christian Dechery Cc: [EMAIL PROTECTED] Subject: Re: [PHP] session security issue Hi, For security use SSL and get the SSLSession ID instead. This cannot be fooled since it is based in PK handshake and with simetric encryption. Sean C. McCarthy SCI, S.L. (www.sci-spain.com) Christian Dechery wrote: I have pages that uses session for security that looks something like this: ?php session_start(); if( !isset($uid) ) { include(include/auth.inc.php); auth_user(); } more code... ? so $uid tells me if the user is logged on or not... but what if somebody calls the script directly from the address bar like this: http://server/script.php?uid=10 wouldn't this be a security problem? . Christian Dechery (lemming) . http://www.tanamesa.com.br . Gaita-L Owner / Web Developer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]