| « Taking a Dump | Sponsor Appreciation, Technical Reasons, and more Error'd » |
Over the years, Armid transitioned from being a full-time developer to a full-time pen tester (as in penetration testing, not pen testing) and he hasn't looked back since. "I did enjoy writing code," he commented, "but there's something really satisfying about demonstrating an XSRF attack to that smug developer who swore up-and-down that his code was perfect." And with things like PCI Compliance to worry about, there are plenty of projects to keep him busy.
"It takes a lot to surprise me anymore," Armid added. "In fact, these days, I'm surprised if I don't find a SQL Injection vulnerability. That being said, the public-facing operations engine of a large (3,000+ employee) company really surprised me. To say that it was filled with back doors would almost imply that someone thought to install doors -- this system has more openings than walls. But there was one vulnerability in particular that trumped them all."
system("chmod 777 " . $_COOKIE["$sessionid"]);
"In fairness, this was one of the more secure lines of code, since most attackers will only mangle their cookies as their fourth... maybe fifth step. Plus, they'd be so distracted by all of the other vulnerabilities that they'd likely overlook this all together."
Re: The Deadly Cookie
2011-10-13 09:29
•
by
Machtyn
(unregistered)
|
I could be wrong, but Celina Nunes hints at the problem:
Essentially, what an attacker will be able to do is make every single file readable, writeable, and executable for the owner, group, and all users. Yay! Free access to a linux system and every single file! Including root access, hash files, configurations, ... everything. Want to setup a zombie? There's your system. How one actually sets the $_COOKIE["$sessionid"], I'm not sure (rewrite the html or javascript and insert the equality line? modify the cookie the website wrote to your system?) |
| « Taking a Dump | Sponsor Appreciation, Technical Reasons, and more Error'd » |
Konstantin: