------------------------------------------------------------------ - EXPL-C-2003-001 exploitlabs.com conjecture paper 001 ------------------------------------------------------------------ -=- PHP and .htaccess Authorization Bypass Conjecture -=- If someone could help me with the implications of this scenario : you = user-ip proxy = proxy ip remhost = host-ip Open browser via proxy to <hostip> with member forum php/BB type with login / pass. ( if im correct this sets a cookie to "maintain state" for session auth) do stuff. Change or turn off proxy in browser. do more stuff. Q? Are you still authorized? C? its looks so A? dunno really, this is why I wrote this. help-me? My Opinion: I think many or most of these php/BB style forums use the <user-ip> as part of the cookie making ( baking? yum ) authentication and persistant state process. It just seems odd that thers no obvious change in the auth, but yet technically the "you' have gone from <proxy-ip> to <user-ip>. This would seem to enable a "session sharing" scenario if you could corordinate a common proxy and a cookie sharing routine to bypass a many restriction... no? Help me figure this out, it is just hypothetical ( hence the conjecture ). What about .htaccess? does this violate that protection as well??? I say ...YES. Comments and FACTUAL, LOGICAL theory are asked upon this as it may ( could ) change the whole aspect of "location" or "absolute" auth via a IP protocol. ( or I will be highly embarased as to my high level ignarami ) Donnie Werner morning_woodat_private http://exploitlabs.com "where finding your hole is job one, and plugging it is half the fun" oh.. check out http://frame4.com for your corporate security needs. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu May 29 2003 - 13:14:19 PDT