[PHP] Why is this secure?

2009-02-16 Thread Sean DeNigris 
Hi all!  The following code seems like it should be open to session  
fixation attacks, but is not.  Why?!


This is the beginning of the private page...
	header("Location: http://[address of login page]?requestedpage=[token  
for this page]");

exit();
}


If an attacker caused a known user to request the above page with ? 
PHPSESSID=1234, the session_start would then register 1234 as the  
current session


This is from the login page...
When the user logged in above, the session_start would use the session  
cookie from the first session_start above and have a validated session  
with an SID known to the attacker.


However, the top snippet does not cause an SID to be recorded in a  
cookie, but the bottom one does.  Hence, the attack is prevented, but  
why?


Thanks, cheers!

- Sean

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Why is this secure?

2009-02-16 Thread Sean DeNigris 
lol, neither.  It was from a site I had coded.  I read an article  
about session fixation and it seemed vulnerable based on what I read,  
but when I tested it, it didn't seem to be and I wasn't sure why.

What made you think that?

- Sean

On Feb 16, 2009, at 8:16 PM, Ashley Sheridan wrote:


On Mon, 2009-02-16 at 13:49 -0500, Sean DeNigris wrote:

Hi all!  The following code seems like it should be open to session
fixation attacks, but is not.  Why?!

This is the beginning of the private page...
	header("Location: http://[address of login page]? 
requestedpage=[token

for this page]");
exit();
}


If an attacker caused a known user to request the above page with ?
PHPSESSID=1234, the session_start would then register 1234 as the
current session

This is from the login page...
When the user logged in above, the session_start would use the  
session
cookie from the first session_start above and have a validated  
session

with an SID known to the attacker.

However, the top snippet does not cause an SID to be recorded in a
cookie, but the bottom one does.  Hence, the attack is prevented, but
why?

Thanks, cheers!

- Sean


Erm, is this a trick question or your homework?


Ash
www.ashleysheridan.co.uk




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Two troublesome fields

2009-02-20 Thread Sean DeNigris 

From: Terion Miller 
Date: February 19, 2009 5:34:50 PM EST
To: Bastien Koert 
Cc: PHP General 
Subject: Re: [PHP] Two troublesome fields
I just tried this and now it's not inserting at all where before  
everything

EXCEPT two fields go in...

$sql = "INSERT INTO workorders ( CreatedDate, Location, WorkOrderName,
AdminID, FormName, Status, Notes) VALUES (";

   $sql .= "Now(), ";
   $sql .= "'". mysql_real_escape_string($Location) ."', ";
   $sql .= "'". mysql_real_escape_string($WorkOrderName) ."', ";
   $sql .= "'". mysql_real_escape_string($AdminID) ."', ";
   $sql .= "'". mysql_real_escape_string("WorkOrder") ."', ";
   $sql .= "'". mysql_real_escape_string("New Order") ."', ";
   $sql .= "'". mysql_real_escape_string($Notes) ."', ";

   $WorkOrderID = mysql_insert_id();
   mysql_query($sql);


There's no closing parethesis to VALUES, try...
$sql .= "'". mysql_real_escape_string($Notes) ."')";

Sean DeNigris
s...@clipperadams.com