I've run into what seems to be a fairly huge security issue with the PHP4 session management. I may have overlooked something, in which case I am happy to be corrected.
On a shared server (but not virtual server), it can be very easy to break into peoples security, if it is based around the php4 session management.
Example:
http://www.host.com/~someuser/members/some_info.php
Assume you have an account on this members directory
- Log into it
Now, also assume that you have an account on this server (www.host.com).
All that you need to do, is write a script such as:
<?
session_start();
while (list ($key, $val) = each $HTTP_SESSION_VARS)) {
echo "Key is: $key Value is: $val";
}
?>
And place it on your own portion of the hosts webspace.
You then spawn a new browser window (CTRL-N in IE) which keeps the browser session ID the same, and type in the url for the script
Wonder of wonders - You now have a list of every session variable stored by that page, and it's values
Assume you have:
- User = "fredb"
- Access = "1"
- Authenticated = "yes"
Now all you have to do, is write a second script, that establises these variables, but with Access = 10 and you have admin access to the website. There are other implications as well - Passwords stored in session vars or anything else. The ONLY way I can see around this to an extent, is to authenticate a user against a DB every time a session is established, which requires the passwords to be stored in either session vars or cookies. Not nice.
Comments anyone?
