ports/138698: lang/php5: PHP session.save_path vulnerability
Miroslav Lachman
000.fbsd at quip.cz
Thu Sep 10 11:40:03 UTC 2009
The following reply was made to PR ports/138698; it has been noted by GNATS.
From: Miroslav Lachman <000.fbsd at quip.cz>
To: bug-followup at FreeBSD.org, andzinsm at volt.iem.pw.edu.pl
Cc:
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 13:14:32 +0200
I don't know what you are trying to solve.
If PHP runs under user www (Apache), it can still read the content of
the directory.
If you want to disallow access to sessions of different domains
(VirtualHosts), you can do it by using different session.save_path for
each domain.
In context of VirtualHost for www.domain1.tld:
php_admin_value session.save_path /web/www.domain1.tld/tmp
In context of VirtualHost for www.domain2.tld:
php_admin_value session.save_path /web/www.domain2.tld/tmp
More information about the freebsd-ports
mailing list