Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Session data pollution vulnerabilities in web applications
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 12 Jan 2006 10:50:47 -0600

On Thu, 2006-01-12 at 11:33 +0000, Alla Bezroutchko wrote:
As for fixing those bugs, I suppose one approach is having a separate
session variable for each function in the application. For example new
user registration will keep its stuff in $_SESSION["register"]["login"]
and authentication will keep its stuff in $_SESSION["auth"]["login"]

These type of bugs stem from bad program design. (BTW: I wouldn't call
it session data pollution... your not polluting anything).

The proposed fix is -- besides being only specific to this example --
equally flawed. The underlying issue is that you trust user supplied
data. When a user supplies a user name for login purposes, you should
only use that input to perform a search in your database. If a match has
been found, take a *trusted* value from your database, for example an
index ID, and carry that in the session object to identify the user.

In other words, don't accept any user input (even after proper input
validation) and carry it as trusted data in your session object. Don't
base further decisions on this data. Since it is user supplied it can
not be trusted.

Your example is further flawed in that it allows the change of a
password without being properly authenticated. Just having a valid
'login' session object present doesn't indicate that the user is
authenticated. I really, really hope this was just an example you made
up, and not something you actually saw being used. If so, go back to
that web site with a clue-by-four and give it a few whacks.

But you are right that these type of issues are common. While we're
educating developers on secure program design, I think we need to do a
better job at teaching some paranoia too. Every programmer should have a
healthy dose of paranoia and distrust when writing applications :)


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]