Input Validation of $_SESSION values
From: Pablo Gosse (gossep_at_unbc.ca)
Date: 11/06/03
- Next message: Pablo Gosse: "REPOST TO FIX MANGLED QUERY - Input validation of $_SESSION values"
- Previous message: Chris W. Parker: "RE: [PHP] Sessions within new windows"
- Next in thread: Lang Sharpe: "Re: Input Validation of $_SESSION values"
- Reply: Lang Sharpe: "Re: Input Validation of $_SESSION values"
- Reply: Chris Shiflett: "Re: [PHP] Input Validation of $_SESSION values"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 5 Nov 2003 15:31:45 -0800 To: <php-general@lists.php.net>
Hi all. A quick question as an extension to the threads about input
validation over the past weeks.
It's obviously best practice to rigorously check and validate all input
coming via $_GET or $_POST, but what about $_SESSION values?
Without proper checking of $_GET and $_POST, it is very easy for someone
to exploit an application. But what are the potentials of this
happening with session values?
As an example, in my CMS when the user logs in a number of session
variables are registered, including a user id, group id and clearance
level, all of which are used extensively in queries.
Throughout the CMS I use a custom function to validate any ids coming
from $_GET or $_POST, but are those which come from $_SESSION equally
dangerous? It would seem to me that they wouldn't be quite as
dangerous, but I can't really say for sure.
For example, if someone is attempting to retrieve a specific content
block within the CMS for editing, the following query is executed:
$query = 'select c.* from cms_content c, cms_access x ';
$query .= 'where x.status = 1 and x.c_id = c.c_id and ';
$query .= 'x.p_id = '.$p_id.' and c.p_id = '.$p_id.' ';
$query .= 'and x.u_id = '.$_SESSION['u_id'].' and ';
$query .= 'x.g_id = '.$_SESSION['g_id'].' ';
$query .= $_SESSION['clearance'] < 2 ? 'and (c.release < now() and
(c.expires is null or c.expires > now()) and ((c.begin_suspend is null
and c.end_suspend is null) or (now() not between c.begin_suspend and
c.end_suspend))) ' : '';
What are the implications of not validating the $_SESSION['u_id'],
$_SESSION['g_id'] and $_SESSION['clearance'] values?
In this query, for example, the last ternary statement checks if the
clearance value for the current session is less than 2, and if so the
content can only be accessed if the conditions run against the timestamp
fields for that specific record are valid.
However, if someone were somehow able to hijack the value of
$_SESSION['clearance'] and set it to 3 or 4, then this check would be
ignored.
How big of an issue is this? I'd be very interested in some opinions
from those with more experience on the security side of things.
Cheers,
Pablo
- Next message: Pablo Gosse: "REPOST TO FIX MANGLED QUERY - Input validation of $_SESSION values"
- Previous message: Chris W. Parker: "RE: [PHP] Sessions within new windows"
- Next in thread: Lang Sharpe: "Re: Input Validation of $_SESSION values"
- Reply: Lang Sharpe: "Re: Input Validation of $_SESSION values"
- Reply: Chris Shiflett: "Re: [PHP] Input Validation of $_SESSION values"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
