Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:68391 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41977 invoked from network); 5 Aug 2013 19:42:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Aug 2013 19:42:13 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.175 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.175 mail-lb0-f175.google.com Received: from [209.85.217.175] ([209.85.217.175:65494] helo=mail-lb0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 98/B6-06453-41000025 for ; Mon, 05 Aug 2013 15:42:13 -0400 Received: by mail-lb0-f175.google.com with SMTP id 13so2359764lba.6 for ; Mon, 05 Aug 2013 12:42:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=AJCZk4GSZQvx7L2+vVvPvSx7XlK0IM3UKIu6un8egrg=; b=htw6szaW1D7f2dUNuH6ewg9kpH3D3yC4x/a/+UwLndE2m5bbdHOGEneCTZ89e0nR8+ cbO7enWL0OKV0ap2SrG3EehY31UWJG+9bCTN0/HVbX1GuDFZH3kowV/kpgWStkCEDoKN vPl7jk4aslVBzY7Mi5gZa1y/lrvN4hQtzo7ahH0WLhOfkEOH2no/jErC9XhtZL1xWZAg 9RyQQcosO7aUuS7DlgzCITkUivrw1LgkzZyilaY9KlQfxDLm6SOyM4KIOgl/JfNIA7uV jh2ESvISPND7zGIS9Zs5PIqJ3cbuKGNValQ6NkovqmQYjRNix1FJJsFXZjcX8rPDydDt FQow== X-Received: by 10.112.34.209 with SMTP id b17mr9442904lbj.55.1375731729961; Mon, 05 Aug 2013 12:42:09 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.127.233 with HTTP; Mon, 5 Aug 2013 12:41:29 -0700 (PDT) In-Reply-To: References: <50364644.1060302@lerdorf.com> <5039D249.30707@sugarcrm.com> <503A968A.4070206@sugarcrm.com> <51FEEEAF.1070705@sugarcrm.com> <51FEF5AA.5060409@sugarcrm.com> Date: Tue, 6 Aug 2013 04:41:29 +0900 X-Google-Sender-Auth: vTZXICzPkHUa0FSNU5z5Su3893s Message-ID: To: Arpad Ray Cc: Stas Malyshev , PHP Internals Content-Type: multipart/alternative; boundary=14dae93d8ede12184e04e3388184 Subject: Re: [PHP-DEV] Session Id Collisions From: yohgaki@ohgaki.net (Yasuo Ohgaki) --14dae93d8ede12184e04e3388184 Content-Type: text/plain; charset=UTF-8 Hi Arpad, On Tue, Aug 6, 2013 at 4:17 AM, Arpad Ray wrote: > On Mon, Aug 5, 2013 at 7:46 PM, Yasuo Ohgaki wrote: > >> On Tue, Aug 6, 2013 at 1:04 AM, Arpad Ray wrote: >> >>> I think there really should be a vote. >> >> >> This means you don't really understand the true risk of this >> vulnerability. >> It allows permanent session ID fixation. This is CVE assigned >> vulnerability. >> Details are explained in the RFC and I don't want to explain fully in ML >> again. >> (We might discussed the details in security@php.net, but I think I wrote >> enough info) >> >> Please refer to the RFC. >> > > I do really understand the risk... > It allows "permanent" session ID fixation due to browser implementations. To make matter worse than old days, recent browsers only send one outstanding cookie. This made attack detection impossible at server side. (i.e. bad countermeasure(?) took by browser developers) If you curious about this vulnerability fix still, please read the RFC and do a little experiments. I did the experiment 2 years ago (and even 10 years ago). I suppose things are not changed. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --14dae93d8ede12184e04e3388184--