|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: PHP session management
From: Gavin Zuchlinski (gzuchlinski
pgsit.org)
Date: Sun Oct 26 2003 - 10:46:01 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sunday 26 October 2003 09:06 am, you wrote:
> This isn't really a problem to bypass. If someones got local access,
> it's likely they will have access to some sort of webfolder, wether that
> be a virtualhost, or homedirs(www.foo.com/~username), you can easily
> access the information stored in the session with a script like this:
Just to throw this out in the air, if you would create a directory that was
readable and writeable only to apache cookies could be (semi)securely stored
there. Then using safe mode and openbasedir writing a script to find the file
names wouldnt work. All this assumes that PHP is the only scripting language
though. So what it would come down to is a cross site scripting like attack
using the what Tommy Gildseth mentioned.
Alright, now poke holes in my idea.
-Gavin
http://libox.net/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]