Page 10 - [Everyone] Must read Security Notes

use php-cgiwrap to run php scripts in your username...

I want to point out something I found out about cookie forging. On a site I developed, different users have different kind of access, and their user_id and access_id is stored in a session variables, and for those who want the site to remember their login, also in a cookie. We figured someone might try to edit their cookie and change the access rank to one higher than their legitimate one, and tested it, and it was just ignored. Also, if the browser was closed, and then re-opened to the page, the edited cookie would simply be deleted.

Has this happened to anyone else? I tested it on different machines and the same behavior re-occured.

I think the browser tries to protect the cookie and ignore any changes you make directly to the file. but that doesn't stop someone from connecting directly through telnet or with a socket in PHP and sending their own cookie data by creating their own headers. They will know the format needed from the cookie you've already supplied them.

The vulnerability is there, even if you can't directly edit the cookie file. I think that ability is system dependent.

---John Holmes...

I found this as a little extra for CMS security

Wow, you're right. I put that line in my code and now I can't hack into my program at all. It's amazing...

Anyhow... Thanks for the tip, but you may want to describe what it does and how someone should use it. That's the whole purpose of this thread.

---John Holmes...

http://www.etronicscomputers.com/do...orbeginners.htm

Is this a secure way for using sessions? This is an easy example for me to understand, but I wont use it if it's not a secure one. It looks secure though. Check it out. Thanks!

thanks for this great post - will surely help alot !!!

I'm extremely confused now. I'm almost finished creating my Content system and the one of the things I need to finish is the login/validating part. This example below, is it for logging in or validating after logging in on every page? It also seems that everyone has a different example and a different opinion and I'm trying to make my CMS as secure as possible but with all these opinions, different examples, and some that don't work, is there one example we can all agree on, or is any good examples you can recommend? About the below example, I tried it, didn’t work, still don’t know if its for logging in or validating after logging in. Someone please help me? Thank you.

If you have questions, please start a new thread. This thread is for security notes, a place to post remarks related to PHP security. This isn't the best place to ask new questions. The only people reading this thread are (hopefully) newbies here and those of us that have contributed and get the notice through email that someone posted here.

Anyhow, that code you posted here is not a good method to use at all. It's setting the user's password in a cookie, which is a bad idea and the query is messed up (repeated $user check).

There are better methods and it's been discussed around here a lot. Either search or start a new thread with your questions.

---John Holmes...

Personally i prefer to check the $page for punctuation and simply deny it and return an error page if any exsists. It means a bit extra thought into how directory structures are going to be layed out. Alternatively you might simply check for a "../" or "://".

I like to predefine all my pages that will be accessed. However, I don't just load the page names into the array: I load key=>value pairs into the array. I pass the KEY in the url, so the user never knows what file they're getting.

I know which pages will be permissible, and which will not.

I load these accepted pages into an array, and perform a check on them.

If the page exists in the array, I include it. Otherwise, I don't. Pretty common method nowadays.

Two fold advantage: Secure, and shadowed, meaning the user doesn't really know what they're looking at. All they see is "index.php?code=00".

It's not very extensible (well, it could be with some tricks), but it's just my preferred method.

Keiichi
Morisato's

method is my choice for this .inc mess,




But I only accept letters a-z in $page; everything else gets ripped away.

About cookies/username/password, I use two cookies. One contains data for timeout, (name=session_time, value=time_of_creation, updated every request), one contains no information (name and value are generated randomly at login, this is only to annoy hackers)

All I do is that I compare that current_time - session_time < 10minutes and randomly_generated_cookie_name value = randomly_generated_cookie_value, if all this adds up, then I trust my session and I can check user_level, used_id etc from session.

example randomly_generated_cookie_name = 2434b2cc4c148f68de4ecbaf549710e7

These ofcourse are addition to php's own session id cookie. If you wan't to make it a bit harder to hack you can change the values to random number cookie every request.

Any thoughts?

-9902468

That's so wicked. I love it!

Another simple solution is to just place all the typical "content" files, that you don't want to be viewed/executed out of context into a separate folder, and then protect this folder from outside access through a simple .htaccess file... Something like this:

Order Deny,Allow
Deny from all
Allow from www.yoursite.com

Could be like this:
/www
/inc
.htaccess
content1.inc
content2.inc

In this way at least, people trying to access the /inc folder will only get a "403 forbidden"-message while your PHP-scripts fetching the files through the include-function will work just fine...

Yeah, pretty sure that's been said already. Please read the whole thread before posting.

---John Holmes...