Trends, Techniques, Tips & Tricks for the PHP Scripting Language

PHP Security Basics: Shared Hosting (Part 2)

by PHP Report | February 22, 2009
We're discussing PHP specific vulnerabilities that are exacerbated by shared hosting environments. In the previous post, PHP Security Basics: Shared Hosting (Part 1), we discussed a source code exposure vulnerability and mitigation measures. In this post, we'll look at session data exposure and modification vulnerabilities.

By default, PHP stores session data as files in /tmp. These files have a simple filename structure and the contents can be conveniently decoded with session_decode. Other users on a shared host do not have direct read access to these files, but again, it is possible to co-opt a shared web server into exposing their contents. In fact, it isn't much of an effort to take the next step and modify the exposed session data, re-encode it with session_encode and overwrite the corresponding file in the /tmp directory. With this power, an attacker is not far away from giving themselves arbitrary access to your data.

The solution? Once again we resort to the database. That is, using the database as the session data store. This might seem laborious, but the PHP function session_set_save_handler makes the change fairly painless. All the actual database interaction should be contained in the six functions supplied to session_set_save_handler. The _SESSION variable can then be used in the normal way. The linked documentation page contains sample code for implementing the required database interaction.

Yes, storing session data in the database entails a performance hit, but this seems a small price to pay to check a critical security vulnerability in the form of arbitrary session data exposure and modification. Although most database scalability issues are solvable, in the case that a particular application installation must meet stringent performance requirements, it is likely that a dedicated hosting environment is available. Such installations always have the option of disabling use of the database as a session data store. However, use of the database as a session store is a wise default.

Image credit: CarbonNYC
Tags: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)