...

View Full Version : Is this secure? If not, are 'session variable variables' possible?



cfructose
08-05-2007, 11:25 PM
I think I covered myself security-wise, but want to see if there's a hole anyone can point out.

I'm restricting access to certain pages when user not logged in. Part of the security config looks like this: (The numbers, e.g. "01_01" refer to chapters and subchapters).


if ($_SESSION['logged_in'] == "no") {
$secure_01_01 = 0;
$secure_01_02 = 0;
$secure_01_03 = 0;
$secure_01_04 = 0;
$secure_02_01 = 1;
$secure_02_02 = 1;
$secure_02_03 = 1;
$secure_02_04 = 1;
$secure_03_01 = 0;
$secure_03_02 = 1;
$secure_03_03 = 1;
$secure_03_04 = 1;
}

I then create the variable $restricted_access, with the predefined page-specific $chapter and $subchapter:


$restricted_access = "secure_".$chapter."_".$subchapter;

and then...


if ($$restricted_access != 1) {
display page;
} else {
don't!
}

Can $$restricted_access be expressed as a SESSION variable variable? I'd feel happier if it were. But is that even necessary?

Aargh, I'm out of my depth here.

meth
08-05-2007, 11:54 PM
From php.net:

"Warning: Please note that variable variables cannot be used with PHP's Superglobal arrays within functions or class methods. "

So no, a $_SESSION (a superglobal) cannot be a var var.

cfructose
08-06-2007, 09:19 AM
Thanks Meth,

I must have missed that 'warning'! - But I suspected that was the case.

So, any feedback on whether my approach is flawed?
:-)

firepages
08-06-2007, 12:09 PM
From php.net:

"Warning: Please note that variable variables cannot be used with PHP's Superglobal arrays within functions or class methods. "

So no, a $_SESSION (a superglobal) cannot be a var var.

and a good job as well else page.php?restricted_access=1 might allow you access if register_globals were turned on.

If you make your session an array


<?
$_SESSION['my_access']=array(
'C1_S1'=>1,
'C1_S2'=>0,
/*etc*/
);
?>
then you can simply check for that array value ...
<?
$chk = "C".$chapter."S".$subchapter;
if(isset($_SESSION['my_access'][$chk]) && $_SESSION['my_access'][$chk]!=1){
header("Location: unauthorised.htm");
}
?>
or similar;


even with the above.. depending on where $chapter and $subchapter come from, that may still be exploitable on a server with register_globals turned on, but that would depend on the rest of your code.

typo off to on !

cfructose
08-06-2007, 06:18 PM
Thanks so much for that erudite response. I'll implement that code immediately. :-)

Regarding session variable variables making abuse possible even with register globals off, I pondered the idea for a good five minutes before seeing what you meant, and then laughed out loud!

One follow up question:

$chapter and $subchapter are definied at the beginning of each page, but are never related to any user input, cookies, $_POST etc.

Does that mean that with register globals turned off, there are no security risks, or am I being na´ve? I think I understand that no variables can be manipulated or taken advantage of in any way so long as they remain in php code that can't be visible to a user (I.e. which you don't $_GET, for example). Am I right?

firepages
08-07-2007, 02:57 AM
Sorry edited my post ...I had globals off when I meant on !

register_globals off does not automagically make code safe but it does remove a few gotchta's , but personally I think the best way forward is to assume that register_globals might be on or off and assume you have no control of that setting... even if you do.

Any uninitialized variables are targets for injection , testing with error_reporting(E_ALL) will show you all those uninitialized variables giving you an E_NOTICE (or is it an E_WARNING?) , either way you can then decide if thats an issue or not.

To answer... in your example if $chapter and $subchapter are defined in each page with no reference to user input then there is no way for anyone to rewrite them.

cfructose
08-11-2007, 03:35 PM
Got it. Thanks :-)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum