ID: 37273
Updated by: [EMAIL PROTECTED]
Reported By: c dot i dot morris at durham dot ac dot uk
Status: Open
-Bug Type: Documentation problem
+Bug Type: Session related
Operating System: Linux
PHP Version: 5.1.3
New Comment:
Security vulnerability should be better fixed in source than
documented.
Previous Comments:
------------------------------------------------------------------------
[2006-07-27 11:41:42] a dot d dot stribblehill at durham dot ac dot uk
This is *not* a documentation bug: as the original report says, it is a
security vulnerability -- one that can and should be fixed in the code.
------------------------------------------------------------------------
[2006-07-27 01:34:11] [EMAIL PROTECTED]
Reclassified. Ilia will give more info for whomever is going to
document this.
------------------------------------------------------------------------
[2006-06-16 14:32:37] c dot i dot morris at durham dot ac dot uk
For a possible solution to this, in ext/session/mod_files.c, the
ps_files_open function has:
data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY,
data->filemode);
On systems that support O_NOFOLLOW (FreeBSD, Linux>=2.2, maybe others)
you can probably do
data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY |
O_NOFOLLOW,
data->filemode);
which will cause this open to fail (with error ELOOP) if the session
file is a symlink rather than a regular file.
On systems that don't support O_NOFOLLOW, stat()ing the file and making
sure the file mode isn't S_IFLNK should do it.
Would you like me to try to put together a patch for this?
------------------------------------------------------------------------
[2006-05-03 16:19:05] c dot i dot morris at durham dot ac dot uk
As above - I managed to lose the bug password and it took a while to
come through to my email.
------------------------------------------------------------------------
[2006-05-03 13:30:53] cim at compsoc dot dur dot ac dot uk
Ah, there appears to be some confusion over what I mean. I don't mean
ini_set() the session directory to a symlink, I mean set the session
directory to a real directory (which, yes, must be within open_basedir
confines) that contains a symlink outside open_basedir.
(So, for example, open_basedir = /users/www1/, create a symlink from
/users/www1/bob/sess_abc to /users/www2/fred/target, ini_set() the
session storage directory to /users/www1/bob/, and then create a session
with ID 'abc' using ?PHPSESSID=abc)
Does that make more sense?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/37273
--
Edit this bug report at http://bugs.php.net/?id=37273&edit=1
