Linux News Today features the latest news from the global Linux community. This site is updated daily. Click here to return to our homepage. Get the lowest cost and the best tech support on any Linux web hosting plan. Click here for details.
                                          home   |   news archives   |   linux forum   |   advertise on our site   |   contact
Get your Linux or Windows dedicated server today.

Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.

Get all the details by clicking here!

Plans begin at $24.95 a month. Get more details, click here.

Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.

PHP session IDs still represent huge security risks

Add to     Digg this story Digg this

Mar. 30, 2010

For many years now, Internet security experts have always said that PHP session IDs represent some important security risks. Hacking or compromising session IDs is relatively simple to anyone with a very basic knowledge of how PHP (Hypertext Preprocessor) technology works.

Adding fuel to the fire, Internet security expert Andreas Bogk warns that, despite some recent PHP improvements, session IDs of users who are logged into PHP applications running on a Linux server still remain easy to guess.

In fact, and upon closer analyzis, the so-called "improvements to PHP" display some very frightening weaknesses in the overall PHP code.

To begin with, PHP assigns a session ID in order to allow individual page calls to be allocated to a specific logged-in user. To prevent attackers from using a forged session ID to take control of a session, the ID is chosen supposedly at random.

However, when computers require random numbers, invariably, a pseudo random number generator such as the Linear Congruential Generator (LCG) will be used. Such number generators use very complex mathematical operations to generate a stream of numbers which are random at least in so far as it is impossible to predict future numbers based on the numbers already generated.

But a potential hacker who knows the initial state (the initialisation or seed value) of the generator can still execute the same operations and calculate all the pseudo random numbers generated!

So it becomes essential that truly unpredictable numbers are used as a seed for initialising these generators.

Others even say that letters, both upper and lower case, along with ponctuation characters should also be added to make session IDs next to impossible to guess no matter how good the potential attacker is.

But hacker Samy Kamkar managed to demonstrate that in the case of PHP, this wasn't done and used a small program to predict session IDs with sufficient accuracy to at least make trying out the remaining possibilities feasible up to a certain degree.

This prompted the team to improve the LCG's initialisation so that, since versions PHP 5.3.2 and 5.2.13, this specific attack hasn't been successful in any way.

But a closer analyzis at all the changes done recently still reveals some very evident weaknesses nevertheless.

Click here to order the best dedicated server and at a great price.

For example, a PHP developer simply added the following comment to one of the changes:

/* Add entropy to s2 by calling gettimeofday() again */

This simply means that the PHP programmer uses a second system time call as an additional random source shortly after the first call.

We could compare this with someone who, having concluded that the number X is too easy to guess, proceeds to combine this number with X + 23.

Bogk simply said "this doesn't give much extra entropy".

At least the PHP developers only used the lower bits of the time value rather than use the whole value which contains more predictable information such as days, hours and minutes.

And Bogk analyses further weaknesses in today's PHP implementation of his initial advisory. The security expert says that this approach reduces the unknown entropy to the process ID and then just a few microseconds, which would still allow him to conclude that the session IDs remain very easy to guess, at least to a smart attacker that knows and understands PHP code very well.

Towards the end of his advisory, Bogk recommends that PHP developers improve their cryptography knowledge.

Curiously, most PHP installations which use the "Suhosin Extension" are not affected in any way.

In light of all this, it will be interesting to see at which speed fixes this major security bug to a server-side scripting language that still is viewed by many as secure and reliable under most "normal circumstances."

Then again, most hackers and potential attackers on the Web today operate in an environment that isn't considered by the security community as 'normal'...

Add to     Digg this story Digg this


All logos, trade marks or service marks on this website are the property of their respective companies or owners.

Article featured on Tech Blog and on Business 5.0

Get a best price and the most dependable server colocation reliability from the experts at Sun Hosting. Learn more. This article was featured on Tech Blog and Business 5.0.

Linux News is read by over 450,000 people involved in the field of Linux application development, professional Web hosting services, Linux security, Linux Web development, etc. Inquire about our reasonable advertising rates on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.

                Site powered by Linux Hosting         Sponsored by DMZ eMail, by Sun Hosting and by MWD         Linux news while they are still fresh.     Linux is a registered trademark of Linus Torvalds.