ports/138698: lang/php5: PHP session.save_path vulnerability
andzinsm at volt.iem.pw.edu.pl
Thu Sep 10 12:20:04 UTC 2009
The following reply was made to PR ports/138698; it has been noted by GNATS.
From: Maciej Andzinski <andzinsm at volt.iem.pw.edu.pl>
To: Miroslav Lachman <000.fbsd at quip.cz>
Cc: bug-followup at FreeBSD.org
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 13:58:42 +0200 (CEST)
The problem is in permissions and that is what I suggest to fix. Bu you
are right, I've made a mistake - the owner of /var/lib/php5 should be
root, not www.
I suggest changing permissions to 01733 (rwx-wx-wt), it can prevent
session numbers leaking.
Is it clear now?
More information about the freebsd-ports