Geek Answers Handbook

PHP Inject in another user session

Since each user has a unique PHPSESSID, is it possible for two users, for example, to enter information into SESSION data using standard PHP running on the server.

Notice I am not using this for any wrong purpose. An attempt to use it for communication without access to the database.

Thank you for your time.

+6
php
source share
6 answers

I assume that you want to somehow chat with B by sending a message that fits into session B.

First of all, A needs to examine the session identifier B, perhaps by selecting their name from the list. You will almost certainly want to encrypt these session identifiers, otherwise you will create a good security hole!

So, A sends data to the server containing the identifier of the target session, and the message. Here, as we could temporarily switch session identifiers to write this data to the target session:

//get data from form - I'll leave the encryption of the target //session id up to you! $target_session_id=decryptSessionId($_POST['target']); $message=strip_tags($_POST['message']); //remember our "real" session id and close the session $original_session_id=session_id(); session_write_close(); //open the target session session_id($target_session_id); session_start(); //add message to target session $_SESSION['chat'][]=$message; //close target session session_write_close(); //reopen the "real" session session_id($original_session_id); session_start();
+6
source share

Read session commit

+2
source share

A session is a simple thing that can be easily overestimated to do what you need. Take a look at this simple example that I wrote a while ago: http://pastebin.com/f3ca0ae8d

Using:

  • new mySession(); do the same as session_start();
  • $_MYSESSION do the same as $_SESSION
  • delete mySession(); do the same as session_write_close(); no need to use if you do not want to free the session until the end of the script.

You can make some changes to use them for your specific purpose, for example, to independently determine the session identifier so that you can share them among different users. Since $ _MYSESSION will be distributed to users, you can also use regular PHP sessions with it to store user information in $ _SESSION.

[change]

http://pastebin.com/f3c31737e

Example: enter channel $ _SESSION ['channelid'] and print all unread lines.

 session_start(); new mySession($_SESSION['channelid']); while (count($_MYSESSION['chat']) > 100) unset($_MYSESSION['chat'][key($_MYSESSION['chat'])]); while ($line = $_MYSESSION['chat'][$_SESSION['lastread']++]) echo "$line 
 ";

Example: talk to the channel.

 session_start(); new mySession($_SESSION['channelid']); $_MYSESSION['chat'][] = $_SESSION['myname'] . ' says, "' . htmlspecialchars($_POST['message']) . '"';

etc...

+1
source share

Instead of being confused with what is, in fact, indirect processing of files through a session system, why not go straight to the point and use text files?

It is less vulnerable to attacks, and also less volatile, in the sense that future versions of PHP may decide to prevent such a session switch for security reasons (completely hypothetical, but it makes sense).

+1
source share

I can’t say for sure, but since the session data is stored in the file by default, if your application knows the session ID of another user, which you could replace in the session file that was written by the standard session functions with the changed data. The next time another user accesses the script, the modified session data will be loaded.

But you risk all kinds of race conditions and conflicts if you just do it on top of the built-in session processing. You will probably want to replace the session processing functions with your own so that you can deal with all these problems. Problems are probably much more complex than they appear on the surface.

See: http://www.php.net/manual/en/session.customhandler.php for information on custom session handlers

0
source share

The PHP session handler, by default, uses only the session identifier to identify the session. This allows you to use the session identifier from another user and, thus, use the same session ( Session Hijacking ). Another attack is to prepare a session and force the victim to use this session so that the victim and the attacker use the same session again (Session Fixation ).

The reason for these attacks is that you just need to know the session identifier in order to use the session associated with it. Prevention methods - use more identification information than the session identifier. Some suggest using an IP address (but may change during a session) or a user agent identifier. Another way is to hide the session id from the outside by only allowing cookies and HTTPS.

But also be aware of shared hosting. Some may use a common pool for all session data files of all kumstomers.

0
source share

More articles:


All Articles