Posted by R. Rajesh Jeba Anbiah on 01/18/08 13:22

On Jan 15, 7:24 am, Sebastian Lisken <Sebastian.Lis...@Uni-Bielefeld-
deletethis.de> wrote:
> Hi, I'm in the process of securing a PHP/MySQL website by making sure
> all strings that can at least possibly be manipulated from the outside
> are passed through the appropriate escaping functions and/or validated
> against patterns. In the most canonical cases, SQL strings supplied from
> the outside are handled by mysql_real_escape_string, HTML snippets by
> htmlentities, GET parameters in query strings by rawencodeurl. What I'm
> unsure about is whether SID needs to be treated. It's the variable used
> most often, so I guess I could improve efficiency a bit by not adding
> an escaping functions in snippets such as
>
> <a href="<? echo htmlentities($_SERVER['PHP_SELF']) . "?" . SID; ?>">
>
> Is there a known scenario in which an attacker could set SID to contain,
> say, HTML that could then be used in an XSS attack?

1. mysql_real_escape_string() is again broken. Use prepare statements
2. Disable trans sid--always use cookies based session
3. Possibly use DB based session handler
4. Some versions of PHP has XSS issues with $_SERVER['PHP_SELF']. So,
use $_SERVER['SCRIPT_NAME']
5. Session Ids can be "fixed". So, if you're concerned use DB based
sessions and use session_regenerate_id()

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

[Back to original message]