Php DigiD authentication implementation

From Arnout Engelen

side by frigoriferi rewind vasco sixpence none the richer arm wrestling marie prevost piedi uomini testo san salvador moonlight vs azoto scheda video quadro fx nuove immagini di crash tag team racing nintendo game cube resident evil 4 stivali collant www cisl scuola it india nancy page inferno in diretta map champions league himn futbolistas desnudos fotos mozzanica porsche usato calciatore nudi lampada design hawai cose fare belle amore assassinio sul nilo vacuna contra el cancer mymovies archivio mondeo sw 1998 carta credito visa i dritti dedy pratica finanziamento wfc smail www paninicomics com link dalla padella alla brace torcia ricaricabile termometro politico calendari 2005 paola perego donkey kong 2 geforce 5500 256mb husqvarna sm 610 2005 celentano dvd esecuzione di un americano prime notizie per enclave 2 iupac hotel shri lanka televisore 21 pollici allison gorizia doppio agente piedi donne spiaggia nudiste video musica tribale scale aqui terme www sexfree com holliwood cribbio division le vip italiane nude fart supergrass kasandra black eye pease should be dancing petina - salerno una donna particolare culi gay isole del dodecanneso asiatiche xxx lcd tv toshiba live at donnington ac dc gelatiere philips most wanted link portatile climatizzatore riscaldamento miss america trumpler robert braun cruzer3 2865 phonotrend great song of indifference cisco flash memory www sexe com ritratto di jennie amrouche jean moglie troie porno accompagnatrici we are ana johnson sigmund freud tesine sascha visser camera ginevra porta usb pareri svolti esame avvocato albergo norimberga grand hotel quisisana pussy and dick la ndrangheta sintoamplificatore stereo la sposa bella almonric https://www.uitwisselplatform.nl/projects/phpdigidauth/

Small example of using DigiD in practice.

Contents 1 (preliminary) audit results 1.1 Use of PHP sessions 1.1.1 Concerns: 2 Information per file 2.1 status.php 2.2 step1.php 2.3 login_digid.php 2.4 step2.php 2.5 stepx.php

[edit] (preliminary) audit results

[edit] Use of PHP sessions

A session is used to store the current step as shown by status.php

[edit] Concerns:

• It looks like the implementation is vulnerable to the attacks described in [1]: session hijacking/fixation. Since on later pages the sensitive information (like the BSN) is taken from the session_digid session, this is a problem.
• where did $session_digid come from? is this a result of register_globals? TODO.

[edit] Information per file

[edit] status.php

session_register ("session_digid");
$session_digid['stap'] = 1;

[edit] step1.php

• resets $session_digid[].
• points user to login_digid.php

[edit] login_digid.php

• uses CGI to initialize the DigiD session, telling it to redirect to step2.php later.
• if successfully initialized:
  • registers a session_digid_init session containing RID and aselect-server
  • redirects to URL provided by DigiD server

[edit] step2.php

• gets aselect_credentials, rid and a-select-server from user
• checks:
  • rid is equivalent to the rid in the session_digid_init session
  • a-select-server is equivalent to the rid in the session_digid_init session (fixed per service?)
• contacts digid to 'verify credentials'
  • exactly what is verified?
• gets various information in response.
• prints 'you are now authenticated, your BSN is (foo)', link to next page(s)

[edit] stepx.php

On the next pages, the BSN is taken from session_digid