Talk:Session poisoning

Tainting runtime $variables with GPC exploit; same but different
It seems that there is a confusion between 2 kinds of attacks.


 * 1) The article from  is a way to achieve session poisoning, accorded.
 * 2) But on the contrary, the examples are demonstrating the problem of url-passed global variables, a problem which has existed at least since 2001 Jul 25, when Ismael Peinado Palomo detailed a way to use it to get administrator privileges on a popular web application.

I first wrote a paragraph according to the examples, but now I think we need to clean the article from attack #2

An article should be written about attack #2 as well, even though it is an obvious one.

Nicolas1981 22:02, 2 March 2006 (UTC)

--Blaufish 19:32, 21 September 2007 (UTC)
 * I disagree. Ismael Peinado Palomo example does show something different. Yes. The php.ini GPC vulnerability is something different. Yes. But this vulnerability is used to perform session poisoning. First the GPC taints the $variables, then the tainted $variables taints the session. If you review the example carefully, there is no doubt about it. GPC-to-variable exploit is used to perform a session poisoning exploit. So it clearly is relevant to the article.
 * Maybe it should be removed anyway to reduce confusion, I'm not sure. I think most classes of this vulnerability don't come alone like in the trivial example. Real world example are very likely to depend on something more as well, such as a race condition, shared storage or runtime variable tainting as in this example

Forums as sources

 * Surely there are more reliable sources on this stuff than forum posts? For example, I'm sure there are thousands of books and (non-forum, reliable) websites out there on website security that are more credible than arbitrary people on a forum.  Wickethewok 22:00, 29 May 2007 (UTC)

Hmm. --Blaufish 19:01, 21 September 2007 (UTC)
 * Bugtraq is definitely viewed as a highly credible source of security information. I.e. it does not guarantee quality or correctness, but it is the place people go to when they research security. It dates back to the time security was in its ridiculously sad state of patches never being applied, information about security being kept secret. At it's time, bugtraq was something completely new, it broke the walls of secrecy. If you want a reliable technical source of security information which dates back to the 1990:ies, you almost only have bugtraq and academic work.
 * The full disclosure mailinglist is also regarded as an important source of information. FD was, to the point I could research, first of classifying this as a vulnerability class, and this article was really written to reflect that definition of that class. So there wasn't, that I could find, any security sites or academic work prior to the FD discussion which clearly defined this specific problem. It may be there are earlier work available which are of importance, or that there are new references which would be a great addition. If you find any, please do add them to the article!
 * I do agree that the reference to experts-exchange forum doesn't really contribute to the article. I went a bit too far in trying to find any old related article, since some FD post claimed, without any references, that this was old and already well known (which my searches doesn't support; there is very little available predating . I will remove the expert-exchange reference.

The code on this page is not standard quality
Is wikipedia the place for code examples? If so, shouldn't they be language independent, and correct? in this line: $_SESSION["$var"] = $var2;. I see $var2 while $var was set, and i see a variable quoted for no reason.Arakrys 11:30, 8 November 2007 (UTC)