RE: Session dumped through an iframe... need help.

[Replies] [Reply] [View by Thread] [Help]
[Back To Programming]

Lambda ViceCinC Enstyne

Perhaps those view-source scripts are using javascript hackery to do it on the client side? You need to make sure the session cookie is sent with it... maybe some http lib for php like 'curl' might help?

The problem here is naturally going to be that if your server is acting as proxy for another site (let's say mrspoofy.org/proxy.php?http://www.hotmail.com or somesuch), then your browser won't send the session data to mrspoofy.org because it will only give out the appropriate cookie to pages it requests from www.hotmail.com

On 2008-09-22 14:06:51, Mason wrote
>I should have posted the other pieces of code or at least more information... I just don't want to give away too much information because of the potential implications of the concept.
>
>Okay, here it is... From an attacker's perspective. The index.php of the attacker's website contains an iframe that refreshes every 30 seconds.
>
>Inside of that iframe, pageswitcher.php is run. Pageswitcher gathers the content of the page in the url contained in url.txt and then writes it to a file to be read later. Because the iframe refreshes every 30 seconds, the attacker has the ability to change what content is gathered for every user who visits his website by changing the contents in url.txt.
>
>What you see below is a php script that opens url.txt. It then makes the url in url.txt a variable. Finally, it loads the content of that url to be written to a file (with another script).
>
>Now I'm not sure how to modify this so that it's not using the IP of attacker's server in the pageswitcher or so that it sends the session information of each person with it. I've seen a number of viewsource scripts that will take the source of external pages while keeping my session with that page alive. I'm just not sure how.
>
>><?php $DEFAULT_FILE = "index.php"; ?>
>><?php $url=fopen("url.txt","r"); ?>
>><?php $file = fgets($url); ?>
>><?php
>> if (isset($file)) {
>> $file2 = $file;
>> echo "<div class=\"source\">\n";
>> $content=file_get_contents($file2);
>> echo $content;
>> echo "</div>\n";
>> } else {
>> $file = $DEFAULT_FILE;
>> }
>>?>

VCinC. Enstyne - /sered Challenge Coder

Replies:

Session dumped through an iframe... need help. - Guest(Mason) 2008-09-22 02:55:04
- RE: Session dumped through an iframe... need help. - Lambda ViceCinC Enstyne 2008-09-22 03:01:49
  - RE: Session dumped through an iframe... need help. - Guest(Mason) 2008-09-22 14:06:51
    - >RE: Session dumped through an iframe... need help. - Lambda ViceCinC Enstyne 2008-09-22 14:35:28 <
      - RE: Session dumped through an iframe... need help. - Guest(Mason) 2008-09-22 15:51:00

Guest:
Subject:
Message:	On 2008-09-22 14:35:28, Enstyne wrote >Perhaps those view-source scripts are using javascript hackery to do it on the client side? You need to make sure the session cookie is sent with it... maybe some http lib for php like 'curl' might help? > >The problem here is naturally going to be that if your server is acting as proxy for another site (let's say mrspoofy.org/proxy.php?http://www.hotmail.com or somesuch), then your browser won't send the session data to mrspoofy.org because it will only give out the appropriate cookie to pages it requests from www.hotmail.com > > > > >On 2008-09-22 14:06:51, Mason wrote >>I should have posted the other pieces of code or at least more information... I just don't want to give away too much information because of the potential implications of the concept. >> >>Okay, here it is... From an attacker's perspective. The index.php of the attacker's website contains an iframe that refreshes every 30 seconds. >> >>Inside of that iframe, pageswitcher.php is run. Pageswitcher gathers the content of the page in the url contained in url.txt and then writes it to a file to be read later. Because the iframe refreshes every 30 seconds, the attacker has the ability to change what content is gathered for every user who visits his website by changing the contents in url.txt. >> >>What you see below is a php script that opens url.txt. It then makes the url in url.txt a variable. Finally, it loads the content of that url to be written to a file (with another script). >> >>Now I'm not sure how to modify this so that it's not using the IP of attacker's server in the pageswitcher or so that it sends the session information of each person with it. I've seen a number of viewsource scripts that will take the source of external pages while keeping my session with that page alive. I'm just not sure how. >> >>><?php $DEFAULT_FILE = "index.php"; ?> >>><?php $url=fopen("url.txt","r"); ?> >>><?php $file = fgets($url); ?> >>><?php >>> if (isset($file)) { >>> $file2 = $file; >>> echo "<div class=\"source\">\n"; >>> $content=file_get_contents($file2); >>> echo $content; >>> echo "</div>\n"; >>> } else { >>> $file = $DEFAULT_FILE; >>> } >>>?>
Signature:
Optional Image Link:
http://

CyberArmy::Forum v0.6
Generated In 0.02464 seconds