Does anyone know more information about this or how to go about securing this hole?
Here's the problem in a nutshell: I've been able to "fake" one of my php classes.
The scenario: When a user logs in through the login page they get authenticated (by looking them up in a database) and then a User class (User.php) is created and stores their information and permissions in that User class (for example there is a variable called: isAdmin and it can be set to T or F depending on what they are when they are authenticated). This User class is stored in a session variable and used throughout the program. For instance, if the user tries to go to a page that is for admin only, there is a check in the admin.php page that checks if the $user->isAdmin==T. If it is F then they are denied access.
The problem: A normal user logs in (a non-admin user). The User class is created, isAdmin=N, and the $user variable (that is the instance of the User class) is stored in the session. Now lets say that user is crafty and creates a "fake" User class somewhere else and a page called givemeadmin.php. The fake User class only contains the variable isAdmin. Inside the givemeadmin.php there is an include("User.php"), opens the current session, and calls $user->isAdmin=T. Now the user goes back to the "real" program and BINGO! He can access the admin pages.
Does anyone know a way to secure this? I am looking for something that is more secure than using wierd variable names. Remember, the user can direct to a page that does a var_dump($user) and can get all the variable names and variable contents.
Thanks in advance!
