-1

I developed 4 news agency site with my personal CMS .

now, I have problem, somebody can delete my news and some other records in database , I'm

sure that its not a sql injection,because of my tables name and my long table name prefix.

anyway , is that possible that some body inject session and login to admin side of site?

Alireza Fallah
  • 4,609
  • 3
  • 31
  • 57
  • 1
    Any log can be traced? Check server logs. Do you leak the user name & password to others? – Raptor Sep 03 '13 at 06:12
  • Probably yes, session hijacking is always a possibility. It's really hard to tell what specific answer you are looking for. Maybe take a look into the [suhosin project](http://www.hardened-php.net/suhosin/), that has some session security enhancements. – complex857 Sep 03 '13 at 06:13
  • Almost everything is possible in this crazy world. Without looking at some code we are not able to tell you what may be wrong. – Paul Denisevich Sep 03 '13 at 06:14
  • no , these sites have many users with different username and password. nobody else have username and password. my question is session injection – Alireza Fallah Sep 03 '13 at 06:16
  • can you describe what you mean by `session injection` and how it happens? – DevZer0 Sep 03 '13 at 06:17
  • 2
    my exact question is if its possible that somebody make a fake session and log in to my site, what should i do? – Alireza Fallah Sep 03 '13 at 06:18
  • 4
    What the hell does "i'm sure that its not a sql injection,because of my tables name and my long table name prefix." mean? How would naming of tables prevent SQL injection? – David-SkyMesh Sep 03 '13 at 06:21
  • i mean nobody can guess my table name to use injection. @David-SkyMesh – Alireza Fallah Sep 03 '13 at 06:27
  • @AlirezaFallah Don't be so sure! Have you somehow configured your database, PHP and web-server to avoid displaying error messages that might contain the table name? (Say if the user passes intentionally invalid SQL) --- Obfuscation is a terrible way to prevent SQL injection. Use prepared statements like everyone eles! – David-SkyMesh Sep 03 '13 at 06:30
  • 1
    You've mentioned one thing and said it's secure. It's not. You've given no code for us to review, so we have nothing else to check! – David-SkyMesh Sep 03 '13 at 06:34

2 Answers2

4

Many injection techniques do not rely on knowing your table names. Apart from the fact that it is just security though obscurity, the easiest is the OR 1=1 injection trick, making your password-check WHERE return true all the time (this is a simplicifcation ofcourse)

As you see, there is no table-name needed. With this trick, a person can log-in as anyone, so this could be the infamous "session-stealing" you mean.

I believe this is easier to accomplish then stealing an actual PHP session, as for that last you probably need access to the actual server. Unless you include cookie stealing in there: someone copies your cookie and makes himself you. Depends on how your log-in is tied to the cookie -> if the system makes a new valid session from cookie-data, then you might have a problem. How to steal a cookie? Well, the client can read it's own cookie, so a simple XSS (the attacker can make you look at some code) could have you unwillingly read your cookie and post it somewhere.

Bottomline is that

  • your reasons for it being not injection are false, and you really should look in to that.
  • Yes, session stealing is possible, even easy depending on how you define it.
  • No, session stealing doesn't seem to be the first cause I'd check out, but then again, we known nothing of your code.
Nanne
  • 64,065
  • 16
  • 119
  • 163
2

sure that its not a sql injection,because of my tables name and my long table name prefix.

I would not be particularly sure about that it's not for two reasons:

  1. It's surly not for the reasons you give.
  2. You being sure while it's known to be wrong drives to the conclusions that you made many grave mistakes which extraordinarily raises the risk-factor of mistakes you did.

This combination normally easily opens up code for SQL injections. Compare with:

As this material shows, it has normally nothing to do with table names and long table name prefixes.

anyway , is that possible that some body inject session and login to admin side of site?

Yes, there is some chance that this is possible, too. You need to prevent session fixation and session data injection (e.g. prevent tampering the data on the file-system / session store).

The way you ask, I'd suggest you get in contact with some more security experienced developer and let him do a review of your code-base. Security is a process and four eyes normally do see more than two also it's good to have someone who is not writing the code so that person is not that involved and less biased giving feedback having more of a birds-view from above on all the things while you for example still think that table names would prevent SQL injection while it's just security by obscurity.

Community
  • 1
  • 1
hakre
  • 193,403
  • 52
  • 435
  • 836
  • s/not sure/surely not/ – David-SkyMesh Sep 03 '13 at 06:22
  • so , is there a way to make a login session without actually loging in to site? – Alireza Fallah Sep 03 '13 at 06:35
  • Well, first of all I'd say: Fix the SQL injection, it's often more popular attack vector. But sure, you also need to fix session fixation/injection if it is possible. But perhaps as well you've got missing access checks? So as written, get a review of your code first, not that you now start to "fix" things while you still don't know what the cause is (no easy answers, just understanding and doing possible when it comes to programming. Not doing so leads to security issues then - when found out - show much likely which mistakes have been done in the past all the way along). – hakre Sep 03 '13 at 06:59