[imp] Vulnerabilities in IMP/PHP

Chuck Hagenbuch chuck@horde.org
Mon, 19 Aug 2002 11:17:42 -0400


Quoting Bjørn Ove Grøtan <bjorn.grotan@itea.ntnu.no>:

> in /tmp/phpsessions. After writing a small script, you're  able to
> "take over" another persons session. Given the sessionid, and username
> you can extract all variables IMP stored for this session. Among these
> variables, there's a "encrypted" password. The "encryption" concists of
> using "imp" and the sessionid as key - which at this time - you have
> both.

I'm not responding to most of this, because it belongs on the php lists or 
as a contribution to the FAQ to _help_ people, not a bogus security warning 
to scare them. However, this last statement is _very_ misleading.

Unless you have turned off cookies, the encryption key is a completely 
random string with no relation to the session id. If you _have_ turned off 
cookies, though, we have absolutely zero way of getting a reliable key 
known to the client and no one else, so in that case, yes, we use the 
session id and the name of the webserver - anything else would be exposed 
to the webserver user, as well. Which leads me to my last point...

... If you're concerned about security, why on earth would you let non-
trusted users run scripts on the same machine?

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"After a few minutes the most aromatic and nice smelling Italian coffee 
 will come out of the exhaustpipe." - Our stove-top espresso pot