WebApp Sec mailing list archives

Re: PHP session management

From: Gavin Zuchlinski <gzuchlinski () pgsit org>
Date: Sun, 26 Oct 2003 12:46:01 -0400

On Sunday 26 October 2003 09:06 am, you wrote:

This isn't really a problem to bypass. If someones got local access,
it's likely they will have access to some sort of webfolder, wether that
be a virtualhost, or homedirs(www.foo.com/~username), you can easily
access the information stored in the session with a script like this:

Just to throw this out in the air, if you would create a directory that was 
readable and writeable only to apache cookies could be (semi)securely stored 
there. Then using safe mode and openbasedir writing a script to find the file 
names wouldnt work. All this assumes that PHP is the only scripting language 
though. So what it would come down to is a cross site scripting like attack 
using the what Tommy Gildseth mentioned.
Alright, now poke holes in my idea.

-Gavin
http://libox.net/

Current thread:

PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Matt Rohrer (Oct 26)
- Re: PHP session management Tommy Gildseth (Oct 26)
  - Re: PHP session management Gavin Zuchlinski (Oct 26)
    - Re: PHP session management Hokkaido (Oct 27)
  - Re: PHP session management Gavin Zuchlinski (Oct 27)
- Re: PHP session management Boris Penck (Oct 27)
  - Re: PHP session management weigelt (Oct 28)
    - Re: PHP session management Ivan Ristic (Oct 28)
- <Possible follow-ups>
- RE: PHP session management Tyler Larson (Oct 27)