Page 1 of 1

problem with sessions.

Posted: Wed Nov 28, 2007 2:08 am
by claws
we are somany users inthe same domain.
like
http://xyz.com/~user1
http://xyz.com/~user2
http://xyz.com/~user3
http://xyz.com/~user4
these are just differnet dirctories in the root directory of the server.

now i am user1.
and user2 is malicious.

i have a script of uploading files. visitors can upload their files provided they are logged in. other wise not.
so.. in my script upload.php that contains "uploading form" i wrote

Code: Select all

if(isset($_SESSION['UserName']))
{
//`````````` print the form for uploading `````
} 
else
{
header("Location: login.php")
}
so. if user directly visits my upload.php then since sessions are not set. he will be redirected to login page.
now the problem is...

the malicious user2 is giving a link like http://xyz.com/~user2/hack.php in which he is just giving a link to http://xyz.com/~user1/upload.php on clicking without logging in.
everyone is able to upload the files.

so hopefully /~user2/hack.php is creating that session variable $_SESSION['UserName']
1. am i right?
2. how did he get know that i am using $_SESSION['UserName'] as session variable?
3. can't i limit the session variables to just a specific directory in which they are set. i mean how to disable global(root scope) scope of sessions and limit them to just directory?

Posted: Wed Nov 28, 2007 9:58 am
by feyd
  1. Generally, yes.
  2. UserName is a common enough variable to use, it's logical.
  3. You can limit the availability through cookie settings, or set different storage locations for each user directory (via Apache's httpd.conf)

Posted: Wed Nov 28, 2007 10:01 am
by ianhull
he may have used

Code: Select all

foreach($_SESSION as $key => $val){
echo $key . '<br />';
};//end foreach

Posted: Wed Nov 28, 2007 11:42 am
by claws
oh.. yeah. this is true. @ ianhull

then this is the biggest security threat for case like mine.
1. then what are the available solutions for this problem.
2. can this be solved just by changing my php script?

Posted: Wed Nov 28, 2007 1:28 pm
by ianhull
You could disable uploading of .php files

What files are they uploading?

Or if you need .php source to be displayed, you could display it as a text file?

Depending on your setup, and what files your are allowing to upload, and who can access the uploaded files.

You could have all the files uploaded to a directory which is outside of the root.

/user/public_html/<YOUR SITE>
/user/uploads/<UPLOAD DIR>

this way, users cannot use php files that are in this directory, if they choose to download the file it will just download and not be executed.

HTH

Posted: Sat Dec 01, 2007 1:17 am
by claws
was this post intended to reply my query.
Sorry. but i didnt undestood anything from the above post.
What files are they uploading?
how does that matter?
You could disable uploading of .php files
uploading of php fies ???? what are you taliking about?

my problem is not about "accessing the uploaded files"

my problem is regading SESSIONS.

Code: Select all

foreach($_SESSION as $key => $val){
echo $key . '<br />';
};//end foreach
this code will display the session variables i used.
so any malicious user(partner = who is sharing the webspace in other directory)
will set the seesions and give access to visitors. (with out logging in)
how this can be prevented?

Posted: Fri Dec 07, 2007 11:03 pm
by claws
some one please reply..

i am facing serious problems because of this.

Posted: Fri Dec 07, 2007 11:10 pm
by waradmin
Couldn't you check the page referrer data? example: if the user clicks from index.php to upload.php, you could check the referrer data and make sure the URL originated from ~/users1/index.php, and if not redirect the user. That will force users to go through your page.

Posted: Sat Dec 08, 2007 12:09 am
by claws
intially i had that idea.
but its not going to work out because.
visitor may follow this path

/user2/hack.php ----> /user1/index.php ---> /user1/download.php

since in hack.php the sessions are set.

my download.php will allow him.

i just want to disallow the other user(malicious) to set sessions.