News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP Security Blog:
Cross Virtual Host Cookie Theft
December 15, 2006 @ 08:09:00

In this new post on the PHP Security Blog, Stefan Esser brings up an interesting issue when dealing with web applications - being able to bind a script/application to a different port on the local machine.

Unfortunately the ability to bind yourself to a port and receive connections is a threat to webapplications installed on different virtual hosts on the same IP, even if other security measures in place, like tight filesystem permissions or executing PHP script with the permission of the owner.

He gives an example in PHP of how this can happen and one of the scary side effects of having it in the same domain - the cookie information is passed in. It's a simple concept that could have very bad consequences in the wrong hands.

Additionally, you don't even have to create it in PHP either. As cyberlot mentions, it could be created in any language that has socket functions. Be sure to check out the comments for more thoughts and comments on the post.

3 comments voice your opinion now!
virtual host cookie theft socket example function virtual host cookie theft socket example function


blog comments powered by Disqus

Similar Posts

Kae Verans' Blog: innerHTML in php-dom

IBM developerWorks: Five common PHP design patterns

YoungCoders.com: Debunking the Bloated Smarty Myth

Chris Hartjes' Blog: The Devilís In The Details (or, Handling Sequences in Postgres in CakePHP)

Felix Geisendorfer's Blog: A PHP developers guide to JavaScript - Part 1


Community Events





Don't see your event here?
Let us know!


language release laravel series configure threedevsandamaybe framework code refactor symfony2 podcast opinion introduction community developer list unittest interview install testing

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework