I wrote a PHP application for creating and editing forms and decided to make it open source and publicly available. A few days after releasing the first public version I received an email which alerted me to a security flaw which was posted on a hacking and security community site. Besides obviously being a personal disappointment, it proved to be a useful learning experience. Two security flaws were found and I’ll address the other in a separate post, but right now I will discuss the cookie hack vulnerability.
Despite some people’s fear of cookies, most web programmers realize how useful they are. I personally have always preferred them to using sessions. Well, I didn’t realize just how easy it is to create a fake cookie. As Chris Shiflett points out in his useful article, “Easy Cookie Hacking,” all you need to do is visit a site and then in your Firefox browser location bar type:
where the cookie name would be whatever cookie you are trying to fake.
So, the problem with my code was that I was only checking to see if a cookie existed to allow admin login. Completely stupid on my part, I know. You can now easily see that all someone would need to know is the name of the cookie my script wrote to gain access to the administrative area. If you never post this information publicly you will probably be o.k. But, it is obviously MUCH harder to know the cookie name AND the relevant value, so why not just check that to allow login or whatever access you want to provide in your script? Lesson learned by this DIYer.