[nycphp-talk] Storing User Controlled Configs
Daniel Convissor
danielc at analysisandsolutions.com
Fri Sep 10 13:47:55 EDT 2004
Hey Chris:
On Tue, Sep 07, 2004 at 11:27:02AM -0700, Chris Shiflett wrote:
>
> but the session variables themselves are pretty
> sure, since they're kept on the server and not sent back and forth.
Though, of course, nothing is 100% secure.
If an attacker has found an exploit that allows them to inject code
(which is your REAL problem, not the exposure of session data) or if
you're on a shared server, there are several options.
If the session data is stored on disk and the directory it is stored
in is known and the file permissions on that dir are too permissive,
the cracker can use opendir() and then loop through the directory to
gather the contents of each file.
Similarly, the session file name is based on the session id (which can
be obtained via snooping) and they know the directory, a cracker can
open the file directly, like this:
file_get_contents('c:/temp/sess_k8s35ou54m9710jc05lfcgssj5');
The session data can be altered as well.
So, if there's any really sensitive data or data that could be used to
escalate privileges, it's probably best not stored in a database
rather than the session data.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list