PHP 4.x session spoofing

From: Daniel Lorch (danielat_private)
Date: Sun Jan 13 2002 - 09:56:27 PST

Next message: EnGarde Secure Linux: "[ESA-20020114-003] Several local LIDS vulnerabilities"

Previous message: Sebastian Krahmer: "SuSE Security Announcement: sudo (SuSE-SA:2002:002)"
Next in thread: Gunzour: "Re: FW: PHP 4.x session spoofing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

+-------------------+
| What are sessions |
+-------------------+

A session ID is required to identify people. It is passed over to the
browser and then is either part of the url or is stored as a cookie.
With every request the browser also sends this ID over to the server
which makes is possible to see which requests came from which user.
Using the IP is not reliable for identification, because many people
can come over a proxy and have the same IP.

Sessions are now also (mis-)used for authentication purposes. Because
there is no reliable way of keeping a permanent connection to the
user, a login procedure is simulated using sessions. As long as the
user is "logged in", the session-ID replaces any user/password
combination. Because session-IDs are difficult to predict (that's why
they are so terribly long), they are considered secure.

+------------------------+
| Session support in PHP |
+------------------------+

Since PHP4 there is a native support for sessions, which was derived
from the PHPLib. But instead of using a SQL backend to store these
IDs, they chose to store them as files in /tmp.

Every session is stored in a file like

  sess_g35g5g54gg45wg85

where "g35g5g54gg45wg85" is the actual session-ID. Someone could now
easily spoof these sessions, because he now knows the IDs. He would
even be able to *read* the contents of these files, because PHP very
oftenly runs as module (i.e. every executed PHP script inherits the
user permissions of apache), thus you only have to write a PHP script
which reads out these files.

+------------+
| Workaround |
+------------+

I suggest to create a directory called

  mkdir /tmp/php_sessions/

You have to adjust the path in php.ini for this. Then chown it to
apache

  chown www-data: php_sessions

And make sure to take away "r". r means "listing a directory". Apache
only has to be able to "go into it" = x = 1, and "write" = w = 2.
1 + 2 = 3, so

  chmod 300 php_sessions

Now, although apache is able to create and read sessions, it isn't
anymore possible to list the directory.

The PHP-developers are informed about this, there is a discussion
about various security issues in PHP-Dev.

+---------+
| Credits |
+---------+

I didn't find out about this myself - I just fixed it. A customer,
Michel Lang, pointed it out.

Kind Regards,
  Daniel Lorch
  http://daniel.lorch.cc/
-- 
@echo "Hello, World";

Next message: EnGarde Secure Linux: "[ESA-20020114-003] Several local LIDS vulnerabilities"
Previous message: Sebastian Krahmer: "SuSE Security Announcement: sudo (SuSE-SA:2002:002)"
Next in thread: Gunzour: "Re: FW: PHP 4.x session spoofing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 14:12:15 PST