PHP :: Bug #33072 :: session_save_path bypass safe

Bug #33072

session_save_path bypass safe_mode restriction

Submitted:

2005-05-19 23:21 UTC

Modified:

2005-05-21 21:11 UTC

Votes:	2
Avg. Score:	3.0 ± 2.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	0 (0.0%)

From:

andrey at ruweb dot net

Assigned:

rasmus (profile)

Status:

Closed

Package:

Safe Mode/open_basedir

PHP Version:

5.0.4, 4.3.11

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	andrey at ruweb dot net
New email:
PHP Version:		OS:

New Comment:

[2005-05-19 23:21 UTC] andrey at ruweb dot net

Description:
------------
(Sorry, I didn't found any reports about that issue. Can't believe nobody reported this yet!)

ini_set('session.save_path','...') works great - it produces an error when user is trying to set session.save_path to directory owned by another user.
But why session_save_path doesn't perform safe_mode checks?

For now with session_save_path any server user can quietly substitute session contents at any site located at the same server if he knows the path to directory where that site's session files stored. :(

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-05-21 17:13 UTC] zxqc2 at dunc dot com dot au

session_save_path also does not perform the open_basedir check.

It does seem reasonable to allow access to the default session.save_path set by the ISP (even if not within the allowable open_basedir path) - which PHP does allow.

However when a script attempts to change it through session_save_path(...) it would make sense to perform this check to prevent access to session directories of other virtual hosts.

I am aware that similar issues have been discussed before, and also that there are better ways to secure sessions, but I thought I'd mention it here for the record.

[2005-05-21 21:11 UTC] rasmus@php.net

Fixed in CVS

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC