www/138698: PHP session.save_path vulnerability
Maciej Andziński
andzinsm at volt.iem.pw.edu.pl
Thu Sep 10 09:40:02 UTC 2009
>Number: 138698
>Category: www
>Synopsis: PHP session.save_path vulnerability
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-www
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Sep 10 09:40:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Maciej Andziński
>Release: 9.0-CURRENT
>Organization:
PW
>Environment:
FreeBSD volt.iem.pw.edu.pl 9.0-CURRENT FreeBSD 9.0-CURRENT #0: Sat Sep 5 18:59:28 CEST 2009 ato at volt.iem.pw.edu.pl:/tmp/obj/usr/src/sys/VOLT amd64
>Description:
Default PHP session handler is "file" and default place for saving sessions is directory "/tmp". Permissions allow user WWW to list contents of directory with session files.
>How-To-Repeat:
Script below shows ID numbers of current PHP sessions:
<?PHP
$dir = ini_get("session.save_path");
$dh = opendir($dir);
while(($file = readdir($dh)) !== false) {
if(preg_match("/sess_([a-z0-9]+)/", $file, $matches))
print $matches[1]."\n";
}
?>
Having correct session ID number it is easy to read session data.
>Fix:
In some linux systems this problem is solved by changing directory and permissions of session files.
I suggest patch php.ini files:
--- php.ini-dist.orig 2009-09-09 18:22:53.000000000 +0200
+++ php.ini-dist 2009-09-09 18:22:53.000000000 +0200
@@ -991,3 +991,3 @@
; does not overwrite the process's umask.
-;session.save_path = "/tmp"
+session.save_path = "/var/lib/php5"
--- php.ini-recommended.orig 2009-09-09 18:22:53.000000000 +0200
+++ php.ini-recommended 2009-09-09 18:22:53.000000000 +0200
@@ -1042,3 +1042,3 @@
; does not overwrite the process's umask.
-;session.save_path = "/tmp"
+session.save_path = "/var/lib/php5"
and add following command to install script:
mkdir -o www -m 01733 /var/lib/php5
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-www
mailing list