problem with sessions.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
claws
Forum Commoner
Posts: 73
Joined: Tue Jun 19, 2007 10:54 am

problem with sessions.

Post by claws »

we are somany users inthe same domain.
like
http://xyz.com/~user1
http://xyz.com/~user2
http://xyz.com/~user3
http://xyz.com/~user4
these are just differnet dirctories in the root directory of the server.

now i am user1.
and user2 is malicious.

i have a script of uploading files. visitors can upload their files provided they are logged in. other wise not.
so.. in my script upload.php that contains "uploading form" i wrote

Code: Select all

if(isset($_SESSION['UserName']))
{
//`````````` print the form for uploading `````
} 
else
{
header("Location: login.php")
}
so. if user directly visits my upload.php then since sessions are not set. he will be redirected to login page.
now the problem is...

the malicious user2 is giving a link like http://xyz.com/~user2/hack.php in which he is just giving a link to http://xyz.com/~user1/upload.php on clicking without logging in.
everyone is able to upload the files.

so hopefully /~user2/hack.php is creating that session variable $_SESSION['UserName']
1. am i right?
2. how did he get know that i am using $_SESSION['UserName'] as session variable?
3. can't i limit the session variables to just a specific directory in which they are set. i mean how to disable global(root scope) scope of sessions and limit them to just directory?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

  1. Generally, yes.
  2. UserName is a common enough variable to use, it's logical.
  3. You can limit the availability through cookie settings, or set different storage locations for each user directory (via Apache's httpd.conf)
ianhull
Forum Contributor
Posts: 310
Joined: Tue Jun 14, 2005 10:04 am
Location: Hull England UK

Post by ianhull »

he may have used

Code: Select all

foreach($_SESSION as $key => $val){
echo $key . '<br />';
};//end foreach
claws
Forum Commoner
Posts: 73
Joined: Tue Jun 19, 2007 10:54 am

Post by claws »

oh.. yeah. this is true. @ ianhull

then this is the biggest security threat for case like mine.
1. then what are the available solutions for this problem.
2. can this be solved just by changing my php script?
ianhull
Forum Contributor
Posts: 310
Joined: Tue Jun 14, 2005 10:04 am
Location: Hull England UK

Post by ianhull »

You could disable uploading of .php files

What files are they uploading?

Or if you need .php source to be displayed, you could display it as a text file?

Depending on your setup, and what files your are allowing to upload, and who can access the uploaded files.

You could have all the files uploaded to a directory which is outside of the root.

/user/public_html/<YOUR SITE>
/user/uploads/<UPLOAD DIR>

this way, users cannot use php files that are in this directory, if they choose to download the file it will just download and not be executed.

HTH
claws
Forum Commoner
Posts: 73
Joined: Tue Jun 19, 2007 10:54 am

Post by claws »

was this post intended to reply my query.
Sorry. but i didnt undestood anything from the above post.
What files are they uploading?
how does that matter?
You could disable uploading of .php files
uploading of php fies ???? what are you taliking about?

my problem is not about "accessing the uploaded files"

my problem is regading SESSIONS.

Code: Select all

foreach($_SESSION as $key => $val){
echo $key . '<br />';
};//end foreach
this code will display the session variables i used.
so any malicious user(partner = who is sharing the webspace in other directory)
will set the seesions and give access to visitors. (with out logging in)
how this can be prevented?
claws
Forum Commoner
Posts: 73
Joined: Tue Jun 19, 2007 10:54 am

Post by claws »

some one please reply..

i am facing serious problems because of this.
User avatar
waradmin
Forum Contributor
Posts: 240
Joined: Fri Nov 04, 2005 2:57 pm

Post by waradmin »

Couldn't you check the page referrer data? example: if the user clicks from index.php to upload.php, you could check the referrer data and make sure the URL originated from ~/users1/index.php, and if not redirect the user. That will force users to go through your page.
claws
Forum Commoner
Posts: 73
Joined: Tue Jun 19, 2007 10:54 am

Post by claws »

intially i had that idea.
but its not going to work out because.
visitor may follow this path

/user2/hack.php ----> /user1/index.php ---> /user1/download.php

since in hack.php the sessions are set.

my download.php will allow him.

i just want to disallow the other user(malicious) to set sessions.
Post Reply