Date: Thu, 10 Sep 2009 09:37:07 GMT From: "Maciej Andziński" <andzinsm@volt.iem.pw.edu.pl> To: freebsd-gnats-submit@FreeBSD.org Subject: www/138698: PHP session.save_path vulnerability Message-ID: <200909100937.n8A9b76V066192@www.freebsd.org> Resent-Message-ID: <200909100940.n8A9e2TH015718@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 138698 >Category: www >Synopsis: PHP session.save_path vulnerability >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-www >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Sep 10 09:40:02 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Maciej Andziński >Release: 9.0-CURRENT >Organization: PW >Environment: FreeBSD volt.iem.pw.edu.pl 9.0-CURRENT FreeBSD 9.0-CURRENT #0: Sat Sep 5 18:59:28 CEST 2009 ato@volt.iem.pw.edu.pl:/tmp/obj/usr/src/sys/VOLT amd64 >Description: Default PHP session handler is "file" and default place for saving sessions is directory "/tmp". Permissions allow user WWW to list contents of directory with session files. >How-To-Repeat: Script below shows ID numbers of current PHP sessions: <?PHP $dir = ini_get("session.save_path"); $dh = opendir($dir); while(($file = readdir($dh)) !== false) { if(preg_match("/sess_([a-z0-9]+)/", $file, $matches)) print $matches[1]."\n"; } ?> Having correct session ID number it is easy to read session data. >Fix: In some linux systems this problem is solved by changing directory and permissions of session files. I suggest patch php.ini files: --- php.ini-dist.orig 2009-09-09 18:22:53.000000000 +0200 +++ php.ini-dist 2009-09-09 18:22:53.000000000 +0200 @@ -991,3 +991,3 @@ ; does not overwrite the process's umask. -;session.save_path = "/tmp" +session.save_path = "/var/lib/php5" --- php.ini-recommended.orig 2009-09-09 18:22:53.000000000 +0200 +++ php.ini-recommended 2009-09-09 18:22:53.000000000 +0200 @@ -1042,3 +1042,3 @@ ; does not overwrite the process's umask. -;session.save_path = "/tmp" +session.save_path = "/var/lib/php5" and add following command to install script: mkdir -o www -m 01733 /var/lib/php5 >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909100937.n8A9b76V066192>