From owner-freebsd-www@FreeBSD.ORG Thu Sep 10 09:40:02 2009 Return-Path: Delivered-To: freebsd-www@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2DFF1065679 for ; Thu, 10 Sep 2009 09:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9030B8FC19 for ; Thu, 10 Sep 2009 09:40:02 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n8A9e2oS015719 for ; Thu, 10 Sep 2009 09:40:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n8A9e2TH015718; Thu, 10 Sep 2009 09:40:02 GMT (envelope-from gnats) Resent-Date: Thu, 10 Sep 2009 09:40:02 GMT Resent-Message-Id: <200909100940.n8A9e2TH015718@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-www@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Maciej Andziński" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 877671065670 for ; Thu, 10 Sep 2009 09:37:07 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 76CEE8FC1C for ; Thu, 10 Sep 2009 09:37:07 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n8A9b7Du066193 for ; Thu, 10 Sep 2009 09:37:07 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n8A9b76V066192; Thu, 10 Sep 2009 09:37:07 GMT (envelope-from nobody) Message-Id: <200909100937.n8A9b76V066192@www.freebsd.org> Date: Thu, 10 Sep 2009 09:37:07 GMT From: "Maciej Andziński" To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: www/138698: PHP session.save_path vulnerability X-BeenThere: freebsd-www@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: FreeBSD Project Webmasters List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2009 09:40:02 -0000 >Number: 138698 >Category: www >Synopsis: PHP session.save_path vulnerability >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-www >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Sep 10 09:40:02 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Maciej Andziński >Release: 9.0-CURRENT >Organization: PW >Environment: FreeBSD volt.iem.pw.edu.pl 9.0-CURRENT FreeBSD 9.0-CURRENT #0: Sat Sep 5 18:59:28 CEST 2009 ato@volt.iem.pw.edu.pl:/tmp/obj/usr/src/sys/VOLT amd64 >Description: Default PHP session handler is "file" and default place for saving sessions is directory "/tmp". Permissions allow user WWW to list contents of directory with session files. >How-To-Repeat: Script below shows ID numbers of current PHP sessions: Having correct session ID number it is easy to read session data. >Fix: In some linux systems this problem is solved by changing directory and permissions of session files. I suggest patch php.ini files: --- php.ini-dist.orig 2009-09-09 18:22:53.000000000 +0200 +++ php.ini-dist 2009-09-09 18:22:53.000000000 +0200 @@ -991,3 +991,3 @@ ; does not overwrite the process's umask. -;session.save_path = "/tmp" +session.save_path = "/var/lib/php5" --- php.ini-recommended.orig 2009-09-09 18:22:53.000000000 +0200 +++ php.ini-recommended 2009-09-09 18:22:53.000000000 +0200 @@ -1042,3 +1042,3 @@ ; does not overwrite the process's umask. -;session.save_path = "/tmp" +session.save_path = "/var/lib/php5" and add following command to install script: mkdir -o www -m 01733 /var/lib/php5 >Release-Note: >Audit-Trail: >Unformatted: