[imp] Vulnerabilities in IMP/PHP
Chuck Hagenbuch
chuck@horde.org
Mon, 19 Aug 2002 11:17:42 -0400
Quoting Bjørn Ove Grøtan <bjorn.grotan@itea.ntnu.no>:
> in /tmp/phpsessions. After writing a small script, you're able to
> "take over" another persons session. Given the sessionid, and username
> you can extract all variables IMP stored for this session. Among these
> variables, there's a "encrypted" password. The "encryption" concists of
> using "imp" and the sessionid as key - which at this time - you have
> both.
I'm not responding to most of this, because it belongs on the php lists or
as a contribution to the FAQ to _help_ people, not a bogus security warning
to scare them. However, this last statement is _very_ misleading.
Unless you have turned off cookies, the encryption key is a completely
random string with no relation to the session id. If you _have_ turned off
cookies, though, we have absolutely zero way of getting a reliable key
known to the client and no one else, so in that case, yes, we use the
session id and the name of the webserver - anything else would be exposed
to the webserver user, as well. Which leads me to my last point...
... If you're concerned about security, why on earth would you let non-
trusted users run scripts on the same machine?
-chuck
--
Charles Hagenbuch, <chuck@horde.org>
"After a few minutes the most aromatic and nice smelling Italian coffee
will come out of the exhaustpipe." - Our stove-top espresso pot