Mar. 30, 2010
For many years now, Internet security experts have always said that PHP session IDs represent some important
security risks. Hacking or compromising session IDs is relatively simple to anyone with a very basic knowledge of
how PHP (Hypertext Preprocessor) technology works.
Adding fuel to the fire, Internet security expert Andreas Bogk warns that, despite some recent PHP improvements,
session IDs of users who are logged into PHP applications running on a Linux server still remain easy to guess.
In fact, and upon closer analyzis, the so-called "improvements to PHP" display some very frightening weaknesses
in the overall PHP code.
To begin with, PHP assigns a session ID in order to allow individual page calls to be allocated to a specific
logged-in user. To prevent attackers from using a forged session ID to take control of a session, the ID is
chosen supposedly at random.
However, when computers require random numbers, invariably, a pseudo random number generator such as the Linear
Congruential Generator (LCG) will be used. Such number generators use very complex mathematical operations to
generate a stream of numbers which are random at least in so far as it is impossible to predict future numbers based
on the numbers already generated.
But a potential hacker who knows the initial state (the initialisation or seed value) of the generator can
still execute the same operations and calculate all the pseudo random numbers generated!
So it becomes essential that truly unpredictable numbers are used as a seed for initialising these generators.
Others even say that letters, both upper and lower case, along with ponctuation characters should also be added to
make session IDs next to impossible to guess no matter how good the potential attacker is.
But hacker Samy Kamkar managed to demonstrate that in the case of PHP, this wasn't done and used a small program
to predict session IDs with sufficient accuracy to at least make trying out the remaining possibilities feasible up
to a certain degree.
This prompted the PHP.net team to improve the LCG's initialisation so that, since versions PHP 5.3.2 and 5.2.13,
this specific attack hasn't been successful in any way.
But a closer analyzis at all the changes done recently still reveals some very evident weaknesses nevertheless.
For example, a PHP developer simply added the following comment to one of the changes:
/* Add entropy to s2 by calling gettimeofday() again */
This simply means that the PHP programmer uses a second system time call as an additional random source
shortly after the first call.
We could compare this with someone who, having concluded that the number X is too easy to guess, proceeds to
combine this number with X + 23.
Bogk simply said "this doesn't give much extra entropy".
At least the PHP developers only used the lower bits of the time value rather than use the whole value which
contains more predictable information such as days, hours and minutes.
And Bogk analyses further weaknesses in today's PHP implementation of his initial advisory. The security expert
says that this approach reduces the unknown entropy to the process ID and then just a few microseconds, which would
still allow him to conclude that the session IDs remain very easy to guess, at least to a smart attacker that knows
and understands PHP code very well.
Towards the end of his advisory, Bogk recommends that PHP developers improve their cryptography knowledge.
Curiously, most PHP installations which use the "Suhosin Extension" are not affected in any way.
In light of all this, it will be interesting to see at which speed PHP.net fixes this major security bug to
a server-side scripting language that still is viewed by many as secure and reliable under most "normal
Then again, most hackers and potential attackers on the Web today operate in an environment that isn't
considered by the security community as 'normal'...
All logos, trade marks or service marks on this website are the property of their respective
companies or owners.
Linux News Today.org is read by over 450,000 people involved in the field of Linux application development,
professional Web hosting services, Linux
security, Linux Web development, etc.
Inquire about our reasonable advertising rates
on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn
about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.