Zen Cart v1.3.0.2-l10n-jp-1 Session Fixation PATCH Released Feb 28, 2007
========================================================================

v1.3.0.2-l10n-jp-1  Session FixationȼбΥѥåǤ

zipեȤϰʲˤʤޤ
/admin/includes/init_includes/overrides/init_sessions.php
/includes/init_includes/overrides/init_sessions.php
/includes/functions/strict_sessions.php
session_fixation.patch.sql


ѥåŬ
==============

Step 1
---------------
3Ĥphpեǥ쥯ȥ깽¤ݤäޤޤʤΥåפ˥ԡ
ޤ⤷adminǥ쥯ȥ̾ѹƤϡѥåadmin
ǥ쥯ȥƱ̾ѹƥԡ뤳Ȥ˵ĤƤ
Υѥåϥץڽ񤭴ʤΤǡƱ̾ΤΥե
¸ߤꤷʤ¤ϰ˥ԡǤǤ礦

Step 2
---------------
session_fixation.patch.sql̤[ɲꡦġ]->[SQLѥåΥ󥹥ȡ]
¹Ԥޤ


кξܺ
==========

PHPSession FixationȼäƤΤΤäƤޤ

  http://phpsec.org/projects/guide/4.html#4.1

⤷ʤΥåפSESSION_FORCE_COOKIE_USEFalseꤵƤ硢
Zen CartSession FixationȼäƤޤ

㤨, Session
FixationѤȤƼΥʥꥪͤ뤳ȤǤޤ

  ʥꥪ
    1. ԤURLGETѥ᡼zenid˹ͤꤷơ
       URLﳲԤ򥢥롣
    2. ﳲԤ󤷤塢ԤƱzenidȼäƥåפ
       뤳ȤﳲԤΥȤΤäȤ뤳ȤǤ
       (Session Hijacking)

ޤܸǥߥ˥ƥǼĤǤϲΤȤ꤬ޤ
  http://zen-cart.jp/bbs/viewtopic.php?t=3031


ȼ뤿ˡܥѥåϲкǤޤ

 - http://phpsec.org/projects/guide/4.html#4.1 Ŭ
 - ̤[]->[å]->[åѤɬܤˤ]
   ǥեͤTrueˤ
 - ̤[]->[å]->[åȯ]
   ǥեͤTrueˤ
    * åȯԤTrueͤǥեȤǻꤵƤ뤿ᡢ
      ܥѥåǤä˲⤷Ƥޤ󡣤⤷ʤΥåפFalse
      ꤵƤʤ顢TrueڤؤƤ
 - ̤[]->[å]->[åѤɬܤˤ]
   ͤTrueˤݤˡini_setˤäPHPåCookieɬȤä
   뤳Ȥ



====

ΥѥåŬϼǤǹԤäƤ
ޤΥѥåŬˤʤΥƥХåå
뤳Ȥ˺ʤǤ


                                         Zen-Cart.JP <dev@zen-cart.jp>
