"Raditha Dissanayake" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Mmmmm, very interesting thread, thanx for starting this. Good comments curt. > > > >>1. (!!!) Absolutely easily generate new sessions with any content for every > >>site on server. > >> > >> > > > > > > > > It's because of the 'suspect' nature of sessions and cookies that i > never place userid,username or password in sessions. My tactic is to > aways have 2 column mysql table and store session identifier and > corresponding userid in it. So even if someone does create a bogus > session they still have to find a way to insert a userid into the mysql db. > Yep, there are many ways. But i think 90% of php users doesnt even realize that every user on the same server can actually get full access to their account through sessions. And i bet it can be done now on 90% of the hosting companies :D The only workaround i thought out on system level, without disabling ini_set is to create for every user unique session folder, with random 20-30 chars length, and to set this dir for every user through php_admin_value. But theres still next problem below
> >3. Flood every http server writable directory with thousands or millions > >files. > > > > > set quotas. Some admins even set quota for the root user, which is > inconvinient by safe. > Unfortunetly setting quotes (eg for apache user)doesnt prevent from flooding out entire disk. For example i can have running a script that will check user directories every 15 minutes and if some directory will contain large amount of apache generated files, user account will be disabled and files will be removed. But what to do if for example i have 500 users and every user directory is flooded out with bogus files? Actually i can imaging some sort of terrorising the server this that kind of attack :) > > > > > > -- > http://www.raditha.com/php/progress.php > A progress bar for PHP file uploads. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
