ports/138698: lang/php5: PHP session.save_path vulnerability

Miroslav Lachman 000.fbsd at quip.cz
Thu Sep 10 18:50:03 UTC 2009

The following reply was made to PR ports/138698; it has been noted by GNATS.

From: Miroslav Lachman <000.fbsd at quip.cz>
To: bug-followup at FreeBSD.org,  andzinsm at volt.iem.pw.edu.pl
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 20:49:14 +0200

 Yes, it is clear now and with owner root, it works.
 I propose to make this optional, as somebody has /tmp optimized for 
 better speed (another disk device, flash device, RAM disk etc.) but not 
 And FreeBSD doesn't have /var/lib by default. /var/lib/* is mostly used 
 by some Linux distributions). I am not sure if it is the right place to 
 put these files, according to man hier(7).
 Next thing to think about is, that /tmp is (or easily can be) cleared at 
 system startup, but /var/*/* not.
 If we do some change in default php.ini, it affects more then just 
 "files are moved to another place", so things need to be done carefully.
 Maybe leave the default as is and put these hardening steps in comments 
 in php.ini, then anybody can make own decision.

More information about the freebsd-ports mailing list