OK, I have questions. A session *file* is created, but it is empty. I know of only one way to get data into it, that is through a session variable. Session variables are controlled by the programmer, so unless the programmer is careless with their validation or register_globals setting, I don't see how anything harmful can get into the empty session file.
The empty file will get cleaned up by garbage collection, like any other session file. I guess this could be a DOS attack, by filling up the inode space in /tmp, or making a really big table if the sessions are stored in the database. Anyone can easily get the name of a legitimate session file, so I don't see how things are worse off by creating a session file with a certain name. So, yes, I guess I do need more! :) Kirk > -----Original Message----- > From: Giancarlo Pinerolo [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 1:44 AM > To: [EMAIL PROTECTED] > Subject: [PHP] the ?PHPSESSID=spoofme 'bug' > > > Can I tell you more than what the subject says? > proceeding: > Close the browser, clean all your cookies, and open any page with that > ?PHPSESSID=spoofme appended. > And see what happens. > > 1) No cookies are left > 2) a session 'spoofme' is created > > Do you need more? Javascript url injection ad cross site scripting > become obsolete with this 'feature'. > > PLS! > > I mean, as the zend site doesn't quite work like this (do the > same test > proceeding as described above...) > Their session to append to your cookie-enabled browser location are > Zend_Session_DB=whatever and Zend_Session_DB_SECURE=whatever2 on their > login page. > > I don't know if this is related to the free downloadable version, and > the one they sell and adopt is more 'fortified'... they should clearly > state it then! > > > Gian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php