--- Boyan Nedkov <[EMAIL PROTECTED]> wrote:
> > ... Short of any severe bugs in PHP's core, there is no way for a
> > user of your Web application to modify session data ...
>
> It seems that statement is not completely correct considering the topic
> discussed in the paper 'Session Fixation Vu
Yes, you are right, it was my misunderstanding, sorry guys.
Anyway, hope that posting was useful concerning the subject
of the discussion.
Boyan
--
CPT John W. Holmes wrote:
From: "Boyan Nedkov" <[EMAIL PROTECTED]>
[snip]
> ... Short of any severe bugs in PHP's core, there is no way for a
> use
From: "Boyan Nedkov" <[EMAIL PROTECTED]>
> [snip]
> > ... Short of any severe bugs in PHP's core, there is no way for a
> > user of your Web application to modify session data ...
> [/snip]
>
> It seems that statement is not completely correct considering the topic
> discussed in the paper 'Sess
[snip]
> ... Short of any severe bugs in PHP's core, there is no way for a
> user of your Web application to modify session data ...
[/snip]
It seems that statement is not completely correct considering the topic
discussed in the paper 'Session Fixation Vulnerability in Web-based
Applications'
On Thursday 06 November 2003 13:36, Chris Shiflett wrote:
> For example, if you store your sessions in a database, it's pretty trivial
> for another user to write a PHP script that allows him/her to navigate the
> filesystem, searching for your database access credentials. After all, if
> Apache/P
--- "John W. Holmes" <[EMAIL PROTECTED]> wrote:
> Pablo Gosse wrote:
>
> > As to your last point, can something else change the session vars
> > other than my php scripts, answers to that question are exactly what
> > I'm looking for.
>
> Other PHP scripts on the same server (doesn't have to be s
--- Pablo Gosse <[EMAIL PROTECTED]> wrote:
> In all honesty I don't know enough about how one would go about
> attempting to hack the values of a session other than through hacking
> into the session files, so if anyone has any input on this please pass
> it along.
Well, you basically hit the nail
Pablo Gosse wrote:
As to your last point, can something else change the session vars other
than my php scripts, answers to that question are exactly what I'm
looking for.
Other PHP scripts on the same server (doesn't have to be same domain)
and most anything that can access the filesystem could m
On Wednesday, November 05, 2003 5:43 PM, Lang wrote:
/*---*/
1. Have register_globals set to off in your php.ini
and
2. Check the values before you put them in the session.
You should be ok.
ie. if you just go
$_SESSION['g_id'] = $_GET['g_id']
on one page, then you stil
As long as you...
1. Have register_globals set to off in your php.ini
and
2. Check the values before you put them in the session.
You should be ok.
ie. if you just go
$_SESSION['g_id'] = $_GET['g_id']
on one page, then you still have the same security risks as using just
$_GET.
If you are slight
10 matches
Mail list logo
