In web applications I've tested recently I have stumbled upon something that seems to be new class of bugs. Quick googling did not turn up any reference to this kind of vulnerabilities, so I thought I should describe it. The problem boils down to the application reusing the same session variable name in different application functions. In one function the session variable is initialized from the user supplied data, and in another function the value of the same session variable is used to perform some sensitive action. Here is an example. Suppose you have a web application that requires authentication with login and password. New users can register by filling in a form (let's say displayed by register1.php). register2.php takes the form data, saves it in the session, checks it, and if something is wrong with it, redirects back to register1.php with error message saying what needs to be corrected. Say the login name the user has chosen is saved to the session like this: $_SESSION['login'] = $_POST['login']; Now, let's say another part of the application deals with forgotten passwords. On page resetpw1.php the user enters his user name. resetpw2.php looks up the secret question for that user in the database and displays it. User enters the answer to the secret question. resetpw3.php checks if the answer is correct, saves the user name in the session ($_SESSION['login'] = $_POST['login'];) and asks the user to enter the new password. The user enters the new password, and resetpw4.php takes the user name from the session ($login = $_SESSION['login']), takes the password from the form data, and updates the password for that username in the database. An attacker can first submit data to register2.php (setting the $_SESSION['login'] to the value of his choice) and then submit data to resetpw4.php that will take $_SESSION["login"] and change the password for that account. resetpw4.php trusts the value in $_SESSION['login'] because it thinks that $_SESSION['login'] was created by resetpw3.php, which verified it by means of secret question. The problem stems from the fact that same session variable is used by different processes in the application to store both trusted and untrusted data. I have seen this kind of bugs (not only related to logins and passwords, but other things as well) in several different applications, written by different development teams in Java and PHP. I suppose it is rather common problem. These bugs are easy to identify when the source code is available - just grep for lines where the session variables are initialized, check where the data comes from, and if it comes from the user, check where else that session variable is used. They are a lot more difficult to find with a black-box testing of a web application, though one can and does stumble upon them accidentally. As for fixing those bugs, I suppose one approach is having a separate session variable for each function in the application. For example new user registration will keep its stuff in $_SESSION["register"]["login"] and authentication will keep its stuff in $_SESSION["auth"]["login"] Regards, Alla Bezroutchko Scanit
