Date: Thu, 10 Sep 2009 12:20:03 GMT From: Maciej Andzinski <andzinsm@volt.iem.pw.edu.pl> To: freebsd-ports@FreeBSD.org Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Message-ID: <200909101220.n8ACK32F077698@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/138698; it has been noted by GNATS. From: Maciej Andzinski <andzinsm@volt.iem.pw.edu.pl> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: bug-followup@FreeBSD.org Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Date: Thu, 10 Sep 2009 13:58:42 +0200 (CEST) The problem is in permissions and that is what I suggest to fix. Bu you are right, I've made a mistake - the owner of /var/lib/php5 should be root, not www. I suggest changing permissions to 01733 (rwx-wx-wt), it can prevent session numbers leaking. Is it clear now?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909101220.n8ACK32F077698>