• cavac (unregistered) in reply to Machtyn

    HTTP is a plain text protocol. Its not hard just connecting to Port 80 with telnet and sending the correct headers. Something like this should do the trick:

    host:~$ telnet insecure.example.com 80
GET /somepage.php HTTP/1.1
Host: insecure.example.com
Cookie: sessionid=/etc/passwd
Accept: */*
  • tibbe (unregistered) in reply to Machtyn

    Not to say it's not a stupid piece of code. It would however require that the web-server ran as root to chmod /.

  • Ruben (unregistered) in reply to Machtyn

    Eh... it's not that easy... chmod'ing "/" would only work if they had Apache (or whatever they use to server the PHP pages) running as root which is highly unlikely. So it's not like that piece of code can be used to grant system-wide write permission.

    It can be used to have write permission in anything Apache owns though.

  • UnStandard (unregistered)

    You are all stupid. One line of a php script gives zero indication of its security.

    You have no idea if $_COOKIE["$sessionid"] has already been checked or sanitised elsewhere before this line runs.

    On a well controlled dedicated server this is OK, on a shared server this is definitely a no-no, other users would be able to read and modify your users session data, though that may or nay not be a risk, depending on the application.

Leave a comment on “The Deadly Cookie”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article