Removing Entropy From PHP Session IDs
Page 1 of 1
Removing Entropy From PHP Session IDs
There are a ton of sites these days that use load-balancers in front of them. There’s a few ways they can be installed - completely transparent or acting more like a proxy. The proxy is the more common setup but it has one pretty huge negative side-effect, all the IP addresses come to the server as just one - the internal IP of the load balancer. Normally that’s not a huge deal because the load-balancer does the logging or it sets some custom HTTP header that is properly logged. But PHP doesn’t know about any of that - it’s dumb. It’ll take whatever value it sees as the IP address and apply it to the session ID algorithm. So now instead of having to guess the entire IP space of the Internet, you now have to just guess RFC1918 - and probably realistically a much smaller slice of that in most cases.
Although that setup is pretty common, there is still one drawback. For Samy’s exploit to work you need to know when someone logged in (down to the second, preferably) to remove enough entropy to make it worthwhile to attack. So this still isn’t easily turned into an automated exploit, but we’re slowly but surely getting there.
Although that setup is pretty common, there is still one drawback. For Samy’s exploit to work you need to know when someone logged in (down to the second, preferably) to remove enough entropy to make it worthwhile to attack. So this still isn’t easily turned into an automated exploit, but we’re slowly but surely getting there.
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics
» Firesheep - Firefox HTTP session hijacking extension
» Removing the time limit from Rapidshare
» Removing the Recycle Bin icon from desktop
» CubeCart 4 session management bypass leads to administrator access
» Adding, Removing And Renaming A Label Across Multiple Posts
» Removing the time limit from Rapidshare
» Removing the Recycle Bin icon from desktop
» CubeCart 4 session management bypass leads to administrator access
» Adding, Removing And Renaming A Label Across Multiple Posts
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|