Bug 138698
| Summary: | lang/php5: PHP session.save_path vulnerability | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Maciej Andziński <andzinsm> | ||||
| Component: | Individual Port(s) | Assignee: | Alex Dupre <ale> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Responsible Changed From-To: freebsd-www->freebsd-ports reassign to ports team; this has nothing to do with the webmasters queue I don't know what you are trying to solve.
If PHP runs under user www (Apache), it can still read the content of
the directory.
If you want to disallow access to sessions of different domains
(VirtualHosts), you can do it by using different session.save_path for
each domain.
In context of VirtualHost for www.domain1.tld:
php_admin_value session.save_path /web/www.domain1.tld/tmp
In context of VirtualHost for www.domain2.tld:
php_admin_value session.save_path /web/www.domain2.tld/tmp
The problem is in permissions and that is what I suggest to fix. Bu you are right, I've made a mistake - the owner of /var/lib/php5 should be root, not www. I suggest changing permissions to 01733 (rwx-wx-wt), it can prevent session numbers leaking. Is it clear now? Yes, it is clear now and with owner root, it works. I propose to make this optional, as somebody has /tmp optimized for better speed (another disk device, flash device, RAM disk etc.) but not /var/lib/php5. And FreeBSD doesn't have /var/lib by default. /var/lib/* is mostly used by some Linux distributions). I am not sure if it is the right place to put these files, according to man hier(7). Next thing to think about is, that /tmp is (or easily can be) cleared at system startup, but /var/*/* not. If we do some change in default php.ini, it affects more then just "files are moved to another place", so things need to be done carefully. Maybe leave the default as is and put these hardening steps in comments in php.ini, then anybody can make own decision. I am linux user, so maybe you could recomend better location in FreeBSD than /var/lib/php5? I am also thinking where to add "mkdir" command, is there any special place in makefile? What do you think? Responsible Changed From-To: freebsd-ports->ale over to php maintainer State Changed From-To: open->closed It's a configuration problem, you have many ways to solve it: - use open_basedir - use php-suhosin - your proposed solution - ... |
Default PHP session handler is "file" and default place for saving sessions is directory "/tmp". Permissions allow user WWW to list contents of directory with session files. Fix: In some linux systems this problem is solved by changing directory and permissions of session files. I suggest patch php.ini files: and add following command to install script: mkdir -o www -m 01733 /var/lib/php5--czVVe1FkxPCcQNRlfKOLJX3pAAQ8lTd9VuWndJQIwCYk2drL Content-Type: text/plain; name="file.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.diff" --- php.ini-dist.orig 2009-09-09 18:22:53.000000000 +0200 +++ php.ini-dist 2009-09-09 18:22:53.000000000 +0200 @@ -991,3 +991,3 @@ ; does not overwrite the process's umask. -;session.save_path = "/tmp" +session.save_path = "/var/lib/php5" How-To-Repeat: Script below shows ID numbers of current PHP sessions: <?PHP $dir = ini_get("session.save_path"); $dh = opendir($dir); while(($file = readdir($dh)) !== false) { if(preg_match("/sess_([a-z0-9]+)/", $file, $matches)) print $matches[1]."\n"; } ?> Having correct session ID number it is easy to read session data.