if(isset($_COOKIE['4chan_auser'])&&isset($_COOKIE['4chan_apass'])){ $user = mysq...

kawsper · on April 24, 2014

Aren't you able to hijack sessions on most webpages if you stole session cookies?

_clhx · on April 24, 2014

The real problem is: "extract($_POST); extract($_GET); extract($_COOKIE);"

For more information on extract: http://www.php.net/extract

cyphunk · on April 24, 2014

Docu on extract():

    Description 
       Import variables from an array into the current symbol table.
       If flags is not specified, it is assumed to be EXTR_OVERWRITE.

       EXTR_OVERWRITE
          If there is a collision, overwrite the existing variable.

The danger is that any state variables set before the extract($_...)'s can be overwritten arbitrarily. This also makes it essential that any and every variable is instantiated prior to any use.

mandalar12 · on April 24, 2014

Does it mean that the password is stored in the cookie or I am missing something ?

spoiler · on April 24, 2014

It's probably a hashed version. It would be horrendous if it was actually stored in plain text.

Kiro · on April 24, 2014

How do you "steal" a cookie?

aidos · on April 24, 2014

The best bet is generally an xss attack. Though there are other ways, you could sniff one on a wireless network if no encryption is in use.

exDM69 · on April 24, 2014

Get on the same WiFi as your target, open up Wireshark and grab their HTTP communications.

To make this easier, there was/is a tool called Firesheep that can be used to hijack session cookies. The popularity of Firesheep caused many sites to enable HTTPS by default (e.g. Facebook did so).

Kiro · on April 24, 2014

If you need to be on the same WiFi as your target I really don't see the big problem, realistically speaking.

terminado · on April 24, 2014

Common, shared wired LANs at offices and workplaces are a problem. Home LANs, where family members need privacy from one another, is also a problem.