ports/138698: lang/php5: PHP session.save_path vulnerability
piotr.smyrak at heron.pl
piotr.smyrak at heron.pl
Thu Sep 10 19:11:05 UTC 2009
On Thu, 10 Sep 2009 18:50:02 GMT, Miroslav Lachman wrote
> The following reply was made to PR ports/138698; it has
> been noted by GNATS.
>
> From: Miroslav Lachman <000.fbsd at quip.cz>
> To: bug-followup at FreeBSD.org, andzinsm at volt.iem.pw.edu.pl
> Cc:
> Subject: Re: ports/138698: lang/php5: PHP
> session.save_path vulnerability
> Date: Thu, 10 Sep 2009 20:49:14 +0200
>
> Yes, it is clear now and with owner root, it works.
>
> I propose to make this optional, as somebody has /tmp
> optimized for better speed (another disk device, flash
> device, RAM disk etc.) but not /var/lib/php5. And FreeBSD
> doesn't have /var/lib by default. /var/lib/* is mostly
> used by some Linux distributions). I am not sure if it is
> the right place to put these files, according to man
> hier(7). Next thing to think about is, that /tmp is (or
> easily can be) cleared at system startup, but /var/*/*
> not. If we do some change in default php.ini, it affects
> more then just "files are moved to another place", so
> things need to be done carefully.
>
> Maybe leave the default as is and put these hardening
> steps in comments in php.ini, then anybody can make own decision.
UPDATING msg would be in place, too IMO.
--
Piotr Smyrak
piotr.smyrak at heron.pl
More information about the freebsd-ports
mailing list