ports/138698: lang/php5: PHP session.save_path vulnerability

piotr.smyrak at heron.pl piotr.smyrak at heron.pl
Thu Sep 10 19:11:05 UTC 2009

On Thu, 10 Sep 2009 18:50:02 GMT, Miroslav Lachman wrote
> The following reply was made to PR ports/138698; it has 
> been noted by GNATS.
> From: Miroslav Lachman <000.fbsd at quip.cz>
> To: bug-followup at FreeBSD.org,  andzinsm at volt.iem.pw.edu.pl
> Cc:  
> Subject: Re: ports/138698: lang/php5: PHP 
> session.save_path vulnerability
> Date: Thu, 10 Sep 2009 20:49:14 +0200
>  Yes, it is clear now and with owner root, it works.
>  I propose to make this optional, as somebody has /tmp 
> optimized for  better speed (another disk device, flash 
> device, RAM disk etc.) but not  /var/lib/php5. And FreeBSD 
> doesn't have /var/lib by default. /var/lib/* is mostly 
> used  by some Linux distributions). I am not sure if it is 
> the right place to  put these files, according to man 
> hier(7). Next thing to think about is, that /tmp is (or 
> easily can be) cleared at  system startup, but /var/*/* 
> not. If we do some change in default php.ini, it affects 
> more then just  "files are moved to another place", so 
> things need to be done carefully.
>  Maybe leave the default as is and put these hardening 
> steps in comments  in php.ini, then anybody can make own decision.

UPDATING msg would be in place, too IMO.

 Piotr Smyrak
 piotr.smyrak at heron.pl

More information about the freebsd-ports mailing list