Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Sep 2009 09:37:07 GMT
From:      "Maciej Andzi&#324;ski" <andzinsm@volt.iem.pw.edu.pl>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   www/138698: PHP session.save_path vulnerability
Message-ID:  <200909100937.n8A9b76V066192@www.freebsd.org>
Resent-Message-ID: <200909100940.n8A9e2TH015718@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         138698
>Category:       www
>Synopsis:       PHP session.save_path vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-www
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 10 09:40:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Maciej Andzi&#324;ski
>Release:        9.0-CURRENT
>Organization:
PW
>Environment:
FreeBSD volt.iem.pw.edu.pl 9.0-CURRENT FreeBSD 9.0-CURRENT #0: Sat Sep  5 18:59:28 CEST 2009     ato@volt.iem.pw.edu.pl:/tmp/obj/usr/src/sys/VOLT  amd64
>Description:
Default PHP session handler is "file" and default place for saving sessions is directory "/tmp". Permissions allow user WWW to list contents of directory with session files.
>How-To-Repeat:
Script below shows ID numbers of current PHP sessions:

<?PHP

$dir = ini_get("session.save_path");
$dh = opendir($dir);
while(($file = readdir($dh)) !== false) {
        if(preg_match("/sess_([a-z0-9]+)/", $file, $matches))
                print $matches[1]."\n";
}

?>

Having correct session ID number it is easy to read session data.

>Fix:

In some linux systems this problem is solved by changing directory and permissions of session files.

I suggest patch php.ini files:

--- php.ini-dist.orig	2009-09-09 18:22:53.000000000 +0200
+++ php.ini-dist	2009-09-09 18:22:53.000000000 +0200
@@ -991,3 +991,3 @@
 ; does not overwrite the process's umask.
-;session.save_path = "/tmp"
+session.save_path = "/var/lib/php5"


--- php.ini-recommended.orig	2009-09-09 18:22:53.000000000 +0200
+++ php.ini-recommended	2009-09-09 18:22:53.000000000 +0200
@@ -1042,3 +1042,3 @@
 ; does not overwrite the process's umask.
-;session.save_path = "/tmp"
+session.save_path = "/var/lib/php5"


and add following command to install script:
mkdir -o www -m 01733 /var/lib/php5


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909100937.n8A9b76V066192>