Menu
▾
▴
[Phpwiki-talk] Security problem in PHPWiki sessions
|
From: Matthew P. <mp...@he...> - 2004-11-23 07:36:53
|
I've just had a bug reported against the Debian version of PHPWiki, whereby multiple wikis on the same site share a common session, and so logging into one site can possibly give you elevated privileges on another wiki on the same website. The original bug report is available at http://bugs.debian.org/282565. While the report was against 1.3.7, and I've not had a chance to verify whether the problem still exists against 1.3.10, I've looked through the CVS logs for lib/Request.php, and can't find any commits which appear to fix the problem. I intend to work up some test cases for this problem to verify the problem, and try and get a solid fix for the problem, but it's a trickier problem than it appear at first. The bug reporter suggested including the WikiName in the Cookie/SID variable name, but that won't work if you've got multiple wikis with the same name. Similarly, restricting the cookie to a particular path won't necessarily help, as I've got several wikis running in the same directory with different filenames. The safest fix I've come up with is to store a hash of the main script file (or config file, perhaps) in the session, check it on startup, and invalidate the session if the hash doesn't match. It's a wank, though, because it'll be slow as shit, and not cover various corner cases. I welcome the suggestions of people with more knowledge of these things than me, though. - Matt |
