• Hanzito (unregistered)

    So we only need to check our cookie database for a SESSION cookie which has whatever format PHP uses to iterate over cookies?

  • pudin9 (unregistered)

    Sound like something that should have legal consequences.

  • (nodebb)

    While guard dogs can be "bribed" with a piece of meat, this PHP application can be "bribed" with a cookie.

  • LCrawford (unregistered)

    Clearly this PHP programmer had first been trained in ASP.net, where the session values are encrypted before being passed to the client.

  • Barry Margolin (github)

    empty also contains an isset check, so that whole if could be replaced with $isAdmin = empty($_SESSION['ADMIN_ID'];

    As far as I know, cookies are always strings, not arrays. I don't see how you can iterate over $_COOKIE['SESSION'].

  • (author) in reply to Barry Margolin

    So, I'm not sure if this is just a PHP thing or has a broader convention, but you can have a cookie named SESSION[ADMIN_ID], and a cookie named SESSION[USER_ID], and that'll come in to PHP as an associative array under the name SESSION.

  • Carl Witthoft (google)

    [quote]" but like, really soon, nobody will be using this anymore"[\quote]
    cough COBOL cough Ada cough 3G cellular cough

  • Foo AKA Fooo (unregistered) in reply to Barry Margolin

    !

  • WTFGuy (unregistered)

    @LCrawford ref

    Clearly this PHP programmer had first been trained in ASP.net, where the session values are encrypted before being passed to the client.

    Far more likely the programmers at this job-shop (offshore or otherwise) have never been given the slightest training or guidance on secure website design and secure coding procedures.

    Making the code work sorta correctly on one version of one brand of browser is their (low) bar for declaring total success. Making it robust against malicious users is as unthinkable to them as tensor calculus is to your dog.

  • (nodebb) in reply to LCrawford

    In any sane system session values are not passed anywhere. A session ID is the only thing that gets passed between the server and the clients and it's constant for each client unless and until a new session is created on the server.

    It's the blind copying from cookies to session that's a problem.

    Though I guess first you'd have to know the authors of the website are idiots and then you'd have to guess the "ADMIN_ID" string.

  • clubs21ids (unregistered)
    Comment held for moderation.
  • eric bloedow (unregistered)

    reminds me of something in an old book: a program called "sendmail" had a glitch that allowed it to access System files. so hackers could "mail" fake user profiles...

Leave a comment on “Administrative Transfer”

Log In or post as a guest

Replying to comment #556690:

« Return to Article