Date: Thu, 10 Sep 2009 11:40:03 GMT From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-ports@FreeBSD.org Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Message-ID: <200909101140.n8ABe3PV039271@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/138698; it has been noted by GNATS.
From: Miroslav Lachman <000.fbsd@quip.cz>
To: bug-followup@FreeBSD.org, andzinsm@volt.iem.pw.edu.pl
Cc:
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 13:14:32 +0200
I don't know what you are trying to solve.
If PHP runs under user www (Apache), it can still read the content of
the directory.
If you want to disallow access to sessions of different domains
(VirtualHosts), you can do it by using different session.save_path for
each domain.
In context of VirtualHost for www.domain1.tld:
php_admin_value session.save_path /web/www.domain1.tld/tmp
In context of VirtualHost for www.domain2.tld:
php_admin_value session.save_path /web/www.domain2.tld/tmp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909101140.n8ABe3PV039271>