FUDforum: Bug Reports » INSERTions into ses table for unknown users

Home » FUDforum Development » Bug Reports » INSERTions into ses table for unknown users (Fantom sessions?)

Show: Today's Messages :: Polls :: Message Navigator

Re: INSERTions into ses table for unknown users [message #168063 is a reply to message #168062]

Wed, 09 January 2013 01:33

San ???????
Messages: 4
Registered: January 2013

Karma:

Junior Member

It seems like I found a cause of the problem. There is session checking in index.php on every request and if client has no session cookie it created (for anonymous users too, in ses_anon_make()). The last could be used for DoS attack if client ignores forum cookie - that is why I'm having a lot of new lines in ses table for non-existing accounts. The code (from ses_anon_make()) gives me no chance in this case:

do {
    $uid = 2000000000 + mt_rand(1, 147483647);
    $ses_id = md5($uid . __request_timestamp__ . getmypid());
} while (!($id = db_li("INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('".$ses_id."', ".__request_timestamp__.", '".ses_make_sysid(). "', ".$uid.')', $ef, 1)));

Cyclic INSERTions to DB to get ID just brilliant. Smile

For crackers, of course... For example, my forum has about 6000 registered accounts and only few of them are really active, but my sesssion table file (MyISAM) takes about 2 GBytes on disk now and grows quickly.

Report message to a moderator

[Message index]

		INSERTions into ses table for unknown users By: San ??????? on Tue, 08 January 2013 17:00
		Re: INSERTions into ses table for unknown users By: Marticus on Tue, 08 January 2013 18:08
		Re: INSERTions into ses table for unknown users By: San ??????? on Tue, 08 January 2013 20:59
		Re: INSERTions into ses table for unknown users By: San ??????? on Wed, 09 January 2013 01:33
		Re: INSERTions into ses table for unknown users By: San ??????? on Wed, 09 January 2013 02:14
		Re: INSERTions into ses table for unknown users By: NeXuS on Tue, 15 January 2013 15:00
		Re: INSERTions into ses table for unknown users By: NeXuS on Tue, 15 January 2013 15:26
		Re: INSERTions into ses table for unknown users By: NeXuS on Tue, 15 January 2013 17:19

Previous Topic:	CKEditor conflicts with default formatting tools
Next Topic:	Censorship bug

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri May 10 18:01:57 GMT 2024

Total time taken to generate the page: 0.07435 seconds