Date: Thu, 10 Sep 2009 11:40:03 GMT From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-ports@FreeBSD.org Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Message-ID: <200909101140.n8ABe3PV039271@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/138698; it has been noted by GNATS. From: Miroslav Lachman <000.fbsd@quip.cz> To: bug-followup@FreeBSD.org, andzinsm@volt.iem.pw.edu.pl Cc: Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Date: Thu, 10 Sep 2009 13:14:32 +0200 I don't know what you are trying to solve. If PHP runs under user www (Apache), it can still read the content of the directory. If you want to disallow access to sessions of different domains (VirtualHosts), you can do it by using different session.save_path for each domain. In context of VirtualHost for www.domain1.tld: php_admin_value session.save_path /web/www.domain1.tld/tmp In context of VirtualHost for www.domain2.tld: php_admin_value session.save_path /web/www.domain2.tld/tmp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909101140.n8ABe3PV039271>