Hacking Virtual Hosting Sessions.

Publicated on : 1177612660
In this article I talk about exploiting virtual hosting accounts to steal sessions across all virtual hosting accounts. Not many know that in virtual hosting the session temporary folder is shared. Obviously no user can access that folder for very good reasons. But, when we use a server side language we can access the tmp folder because PHP is running as no-user and has access. This is logical because PHP must also be enabled to write session data. And so we can exploit this by using PHP to read all session data. Now, this only works when safe_mode is turned off. Don't be fooled by that setting, not all web hosts enable it. So a security danger can come from an unexpected point.

This output is an actual session data from a online shop. I grabbed this session from a virtual account somewhere. I only show it to you as an example that I can steal sessions fairly trivially. The session data below shows you a list of dutch banks:

a:5:{i:0;a:2:{s:2:"id";i:0;s:4:"text";s:17:"Select Your Bank";}i:1;a:2:{s:2:"id"
;s:4:"0721";s:4:"text";s:8:"Postbank";}i:2;a:2:{s:2:"id";s:4:"0751";s:4:"text";
s:8:"SNSBank";}i:3;a:2:{s:2:"id";s:4:"0021";s:4:"text";s:8:"Rabobank";}
i:4;a:2:{s:2:"id";s:4:"0031";s:4:"text";s:8:"ABN Amro";}}


And here is a user password list I just sniffed around a virtual hosting account I just owned:


login|s:8:"gompie82";password|s:7:"yuhar01";loginId|s:4:"3777";
login|s:6:"marmar";password|s:7:"fietsen";loginId|s:3:"986";
login|s:8:"sandra64";password|s:8:"kleiwerf";loginId|s:4:"3490";
login|s:6:"abosma";password|s:9:"@sjemenou";loginId|s:3:"727";
login|s:7:"p089007";password|s:7:"vangaal";loginId|s:4:"2523";
login|s:7:"lthdoet";password|s:9:"lth2meter";loginId|s:4:"3888";
login|s:8:"josefien";password|s:8:"josefien";loginId|s:4:"3188";
login|s:5:"sanne";password|s:6:"bonkie";loginId|s:4:"3718";
login|s:9:"roosje001";password|s:9:"paterserf";loginId|s:4:"3612";


So how did I do that? well a few lines of PHP and a virtual hosting account is enough to try it out yourself. We can build a simple script to access all session data across the server which include tons of other sites which reside on the same server. The example script only shows you the sessions list in the folder tmp, it doesn't read them because I don't want people to mess with this stuff. Anyone clever enough know how to read files with PHP.

Still if you really want to try it out and don't know how to read the sessions, you can grab a full script from here: http://phpsec.org/projects/guide/5.html