Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I found have a script which I am working with that shows the SessId in the address bar and if the user doesnt log out (hence destroying the session) this session can be reopened and the "secure" page accessed. This is probably due to the session not being destroyed.
Is it possible for someone malicious to find what the variables that make up the Session ID are and then generate their own to get access to other users' areas that are deemed to be "secure"?
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Rep:
yes and no.......the string is difficult to match but it is possible to "massage" the session header info and gain access to an area not intended for you. The bigger worry is mismanaged session state wherein if the session isn't forced to close after a set amount of idle time and the client doesnt close the session properly, another person can simply hop on the machine and access the users data. You definately want to configure the web server to manage active and inactive http/https sessions while at the same time your code enforces session state in a reasonable manner.
Originally posted by cyph3r7 yes and no.......the string is difficult to match but it is possible to "massage" the session header info and gain access to an area not intended for you.
How? I want to test out my code to see if it is exploitable... Any HOWTO's
Well what is of more importance is for instance in a virtual hosting envorinment - like at most ISP's PHP is set up with default values. EVERYBODY can list the directory which is being used for sessions - this is mostly /tmp/php. So you could just list that and give it a try.
Well honestly I have recently coded some class for secure login. It uses md5 hashes to ensure it's correctness of the data:
ip
username
expire (max idle time verification)
hashes to ensure the above are valid
This should work ... you can call that paranoid but it definately is more secure than relying on something other. Maybe I'll give you some code excerpts...
cyph3r7 said that it was possible to massage the $_SESSION variables to get a correct hash. Is this correct?
I am trying to put myself in the position of a potential cracker... He managed to get hold of 1 Session ID but doesnt have SSH/Telnet access, so he cant get to the /tmp directory and doesnt want to hack just the account he got the Session ID for but wants to generate more... Any Ideas?
Well when you have carefully implemented my suggestions above one invalid hash will force the user to login again and erase the session data. I forgot to mention that in my particular protection there is also a secret hash which in combination with the other 2 hashes is my VERIFICATION hash.
i noticed that after trying to check my PHP scripts on w3c.org i saw that the checking script got the raw script remotely! How does it do this. I am guessing it would be possible for a cracker to extract the contents of my PHP script and find the $_SESSION[""] values! I have not come across anything like this before. Its kind of worrying as this would enable anyone to just leech your carefully crafted PHP site :s
What you could do to even more secure the area around the secret hash would be setting up a hash table in the database and filling it with let's say 1000 values of different hashes; expand the script to submit the hash_id also and use the hash on a random base ... this will ensure maximum security (but will also be slower since the hash is also validated each time since it can't be known to be valid)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.