Re: [PHP] session.save_path is a big security hole!
Unfortunetly setting quotes (eg for apache user)doesnt prevent from flooding out entire disk. For example i can have running a script that will check user directories every 15 minutes and if some directory will contain large amount of apache generated files, user account will be disabled and files will be removed. But what to do if for example i have 500 users and every user directory is flooded out with bogus files? Actually i can imaging some sort of terrorising the server this that kind of attack :) AFAIK it's possible to set a limit on the number of inodes as well as space. So that prevents a gazillion 1byte files from killing the server. -- http://www.raditha.com/php/progress.php A progress bar for PHP file uploads. -- http://www.raditha.com/php/progress.php A progress bar for PHP file uploads. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session.save_path is a big security hole!
"Raditha Dissanayake" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > M, very interesting thread, thanx for starting this. Good comments curt. > > > >>1. (!!!) Absolutely easily generate new sessions with any content for every > >>site on server. > >> > >> > > > > > > > > It's because of the 'suspect' nature of sessions and cookies that i > never place userid,username or password in sessions. My tactic is to > aways have 2 column mysql table and store session identifier and > corresponding userid in it. So even if someone does create a bogus > session they still have to find a way to insert a userid into the mysql db. > Yep, there are many ways. But i think 90% of php users doesnt even realize that every user on the same server can actually get full access to their account through sessions. And i bet it can be done now on 90% of the hosting companies :D The only workaround i thought out on system level, without disabling ini_set is to create for every user unique session folder, with random 20-30 chars length, and to set this dir for every user through php_admin_value. But theres still next problem below > >3. Flood every http server writable directory with thousands or millions > >files. > > > > > set quotas. Some admins even set quota for the root user, which is > inconvinient by safe. > Unfortunetly setting quotes (eg for apache user)doesnt prevent from flooding out entire disk. For example i can have running a script that will check user directories every 15 minutes and if some directory will contain large amount of apache generated files, user account will be disabled and files will be removed. But what to do if for example i have 500 users and every user directory is flooded out with bogus files? Actually i can imaging some sort of terrorising the server this that kind of attack :) > > > > > > -- > http://www.raditha.com/php/progress.php > A progress bar for PHP file uploads. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session.save_path is a big security hole!
M, very interesting thread, thanx for starting this. Good comments curt. 1. (!!!) Absolutely easily generate new sessions with any content for every site on server. It's because of the 'suspect' nature of sessions and cookies that i never place userid,username or password in sessions. My tactic is to aways have 2 column mysql table and store session identifier and corresponding userid in it. So even if someone does create a bogus session they still have to find a way to insert a userid into the mysql db. 3. Flood every http server writable directory with thousands or millions files. set quotas. Some admins even set quota for the root user, which is inconvinient by safe. -- http://www.raditha.com/php/progress.php A progress bar for PHP file uploads. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session.save_path is a big security hole!
* Thus wrote John W. Holmes ([EMAIL PROTECTED]): > >>You didnt understand. I change save.session_path to other's site session > >>directory, do session_start(), write every variable what i want, write > >>down > >>session number, go to this site and using this generated session. You > >>cannt > >>prevent this ever! > > > Does enabling safe_mode counter any of these writing file issues? unfortantly no. > > We all know the solution is to have a dedicated server, of course. :) Or a jailed system, usually a bit cheaper for the client. Perhaps that is the best way to go as a hosting company, and only offer a really locked down (disabling a bunch of functions) to simple virtual hosts. Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session.save_path is a big security hole!
You didnt understand. I change save.session_path to other's site session directory, do session_start(), write every variable what i want, write down session number, go to this site and using this generated session. You cannt prevent this ever! Does enabling safe_mode counter any of these writing file issues? We all know the solution is to have a dedicated server, of course. :) -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals – www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session.save_path is a big security hole!
* Thus wrote Rx ([EMAIL PROTECTED]): > > "Curt Zirzow" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > * Thus wrote Rx ([EMAIL PROTECTED]): > > > > You can set the value with > > php_admin_value save_path "/tmp" > > If i set php_admin_value, user STILL can change the value with ini_set()! I > tested it. php_admin_value only prevents changing value from .htaccess file. > Actually this also make sense for me, values set by php_admin_value shouldnt > be allowed to change ever. I was not aware of this. > > > > > > > > > > You didnt understand. I change save.session_path to other's site session > directory, do session_start(), write every variable what i want, write down > session number, go to this site and using this generated session. You cannt > prevent this ever! hm. yes, I see your point on this. > > > > 2. Delete other users sessions by setting gc to 100 and probably legal > files > > > starting with sess_*. > > > > I'm also not sure but technically gc_maxlifetime should never be > > lower than cache_expire, if this is the case then there no issues > > with setting gc_probablity to 100, cept for a bunch of overhead for > > the users script. > > > Hm, what the connection with cache_expire? User set gc to 100 and > maxlifetime to 1 sec, then that script will delete every session in > directory. The conection is that the gc shouldn't clean up a session that has a lifetime still. so if gc_maxlifetime = 9 and cache_expire = 10, gc shouldn't clean up anything less than 11. But then, this is a mute point since if you change cache_expire at run time, gc wont know the difference. > > > Don't allow the person to create files. That is the only way to > > prevent a user of doing this regardless of the save_path parameter. > > > > No, its not a valid point. Every user can access only certain directory with > apache permissions or with his own. And i know which directory belongs to > whom. However with session.save_path user can flood EVERY directory on > server, and even i wont know which user did that! Thanks for clarifying this. I was not thinking on the same line as you. So a malicious user can do something like: while (1) { session_save_path(pick_a_writeabledir()); session_start(); session_write_close(); } Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session.save_path is a big security hole!
"Curt Zirzow" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > * Thus wrote Rx ([EMAIL PROTECTED]): > > Theres absolutely no control over session.save_path parameter in php. By > > setting it to every directory he wants, every user can: > > You can set the value with > php_admin_value save_path "/tmp" If i set php_admin_value, user STILL can change the value with ini_set()! I tested it. php_admin_value only prevents changing value from .htaccess file. Actually this also make sense for me, values set by php_admin_value shouldnt be allowed to change ever. > > > > > 1. (!!!) Absolutely easily generate new sessions with any content for every > > site on server. > > prevented with open_basedir. Can you demonstrate how you expect to > do this? Using open_basedir most can also resovle this issue. > You didnt understand. I change save.session_path to other's site session directory, do session_start(), write every variable what i want, write down session number, go to this site and using this generated session. You cannt prevent this ever! > > 2. Delete other users sessions by setting gc to 100 and probably legal files > > starting with sess_*. > > This might be a valid point if you also mention that if the user > sets gc_maxlifetime to a value of 1 or lower than cache_expire, > and the gc_probablity at 100. Although I havn't tested, and > probably should be. > > I'm also not sure but technically gc_maxlifetime should never be > lower than cache_expire, if this is the case then there no issues > with setting gc_probablity to 100, cept for a bunch of overhead for > the users script. > Hm, what the connection with cache_expire? User set gc to 100 and maxlifetime to 1 sec, then that script will delete every session in directory. > > > 3. Flood every http server writable directory with thousands or millions > > files. > > Don't allow the person to create files. That is the only way to > prevent a user of doing this regardless of the save_path parameter. > No, its not a valid point. Every user can access only certain directory with apache permissions or with his own. And i know which directory belongs to whom. However with session.save_path user can flood EVERY directory on server, and even i wont know which user did that! > > > > session.save_path should be controlled under open_basedir variable or some > > other mechanism. > > Perhaps a better solution would be to have a php.ini setting for > disabling ini settings: > > disable_ini session.save_path,session.gc_maxlifetime > Well i agree, that should be done too. > > > Curt > -- > "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session.save_path is a big security hole!
* Thus wrote Rx ([EMAIL PROTECTED]): > Theres absolutely no control over session.save_path parameter in php. By > setting it to every directory he wants, every user can: You can set the value with php_admin_value save_path "/tmp" > > 1. (!!!) Absolutely easily generate new sessions with any content for every > site on server. prevented with open_basedir. Can you demonstrate how you expect to do this? Using open_basedir most can also resovle this issue. > 2. Delete other users sessions by setting gc to 100 and probably legal files > starting with sess_*. This might be a valid point if you also mention that if the user sets gc_maxlifetime to a value of 1 or lower than cache_expire, and the gc_probablity at 100. Although I havn't tested, and probably should be. I'm also not sure but technically gc_maxlifetime should never be lower than cache_expire, if this is the case then there no issues with setting gc_probablity to 100, cept for a bunch of overhead for the users script. > 3. Flood every http server writable directory with thousands or millions > files. Don't allow the person to create files. That is the only way to prevent a user of doing this regardless of the save_path parameter. > > session.save_path should be controlled under open_basedir variable or some > other mechanism. Perhaps a better solution would be to have a php.ini setting for disabling ini settings: disable_ini session.save_path,session.gc_maxlifetime Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session.save_path
thx John. That did the trick for me! regards Wilbert - Original Message - From: "1LT John W. Holmes" <[EMAIL PROTECTED]> To: "Wilbert Enserink" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, May 22, 2002 8:18 PM Subject: Re: [PHP] session.save_path > You have to set the session.save_path to a path on your machine that PHP can > write session files to. You can make a temp folder in your C: drive and then > set the path to c:/temp or c:\\temp or create and set it to any other folder > you want. Make sure (if you're using NTFS) that user IUSR_ > has permission to read/write to the directory you specify. > > ---John Holmes... > > - Original Message - > From: "Wilbert Enserink" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, May 22, 2002 12:09 PM > Subject: [PHP] session.save_path > > > Hi all, > > I'm trying to install php/apache with phptriad. This worked fine, > however when I'm using session variables the thing goes nuts: > > Warning: open(/tmp\sess_d22b57336449f89ad54b974794dd53f4, O_RDWR) failed: m > (2) in C:\apache\htdocs\dm\wwwtest\phpincludes\session\session.php on line 2 > > Warning: open(/tmp\sess_d22b57336449f89ad54b974794dd53f4, O_RDWR) failed: m > (2) in Unknown on line 0 > > Warning: Failed to write session data (files). Please verify that the > current setting of session.save_path is correct (/tmp) in Unknown on line 0 > > -- > This is how my phpinfo() sees it: > > > > session.save_handler > files files > session.save_path > /tmp /tmp > session.serialize_handler > php php > session.use_cookies > On On > > > Does anybody have any idea what to do. Should I adjust php.ini?? And where > should this directory "/tmp " be located?? cause it's not on my harddisk--> > so this might be the error. (i'm on winXP BTW) > > > well, thx for all info! > > regards Wilbert > > - > Pas de Deux > Van Mierisstraat 25 > 2526 NM Den Haag > tel 070 4450855 > fax 070 4450852 > http://www.pdd.nl > [EMAIL PROTECTED] > - - Pas de Deux Van Mierisstraat 25 2526 NM Den Haag tel 070 4450855 fax 070 4450852 http://www.pdd.nl [EMAIL PROTECTED] - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session.save_path
You have to set the session.save_path to a path on your machine that PHP can write session files to. You can make a temp folder in your C: drive and then set the path to c:/temp or c:\\temp or create and set it to any other folder you want. Make sure (if you're using NTFS) that user IUSR_ has permission to read/write to the directory you specify. ---John Holmes... - Original Message - From: "Wilbert Enserink" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 22, 2002 12:09 PM Subject: [PHP] session.save_path Hi all, I'm trying to install php/apache with phptriad. This worked fine, however when I'm using session variables the thing goes nuts: Warning: open(/tmp\sess_d22b57336449f89ad54b974794dd53f4, O_RDWR) failed: m (2) in C:\apache\htdocs\dm\wwwtest\phpincludes\session\session.php on line 2 Warning: open(/tmp\sess_d22b57336449f89ad54b974794dd53f4, O_RDWR) failed: m (2) in Unknown on line 0 Warning: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 -- This is how my phpinfo() sees it: session.save_handler files files session.save_path /tmp /tmp session.serialize_handler php php session.use_cookies On On Does anybody have any idea what to do. Should I adjust php.ini?? And where should this directory "/tmp " be located?? cause it's not on my harddisk--> so this might be the error. (i'm on winXP BTW) well, thx for all info! regards Wilbert - Pas de Deux Van Mierisstraat 25 2526 NM Den Haag tel 070 4450855 fax 070 4450852 http://www.pdd.nl [EMAIL PROTECTED] - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session.save_path in php.ini
Which php.ini file u r changing? Are u refering php.ini which is in C:\Windows directory? - Original Message - From: Tim Loram <[EMAIL PROTECTED]> Date: Thursday, April 25, 2002 4:56 pm Subject: [PHP] Session.save_path in php.ini > Hi, > > Having some issues with the session.save_path value in php.ini > > Whatever I change this value to it always ends up trying to save > the > temporary session info in /tmp (the default setting in php.ini). > > I can overide the value by setting a new path in the actual php > script > using session_save_path("my/path/here") but if I don't specify a > path like > this it always attempts to save in /tmp (c:\tmp\) even though the > value in > the php.ini file says otherwise > > Why is this happening ? > > HELP! > > Cheers. > > Tim Loram > LaTiS Centre > University of Exeter > Queens Building > Queens Drive > Exeter > EX4 4QH > > Tel: (01392) 263721 > http://latis.ex.ac.uk/ > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session.save_path
Warning: open(/tmp\sess_1b7577b36d874741ed1e74b4bead0dfd, O_RDWR) failed: m (2) in h:\program\apache\htdocs/boa/sessionTest.php on line 5 Warning: open(/tmp\sess_1b7577b36d874741ed1e74b4bead0dfd, O_RDWR) failed: m (2) in Unknown on line 0 Warning: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 I have a tmp directory under my apache directory (i'm running win2k btw) Is it suppose to go anywhere else? Please help me! PHP is trying to open "/tmp", which would be a Un*x sorta equivalent of "C:/tmp", only you've created a tmp dir down inside the Apache directory... And your machine ain't got a "/tmp" dir, and never could have one, since Windows kinda requires that drive letter thingie. Edit your php.ini file and change the session.save_path to be something not unlike this: session.save_path = "h:/program/apache/tmp" Only I'm not sure you want h: and I'm not sure you want a trailing slash or not... But for sure, you can't leave it as "/tmp" and have it work on Windows. -- Visit the Zend Store at http://www.zend.com/store/ Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]