|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2015-09-28 23:06 UTC] stas@php.net
-Summary: Security issue in SessionHandlerInterface
+Summary: SessionHandleInterface docs example allows users to
read/write arbitrary files
[2017-08-26 12:11 UTC] cmb@php.net
[2017-08-26 12:14 UTC] cmb@php.net
-Status: Open
+Status: Suspended
-Assigned To:
+Assigned To: cmb
[2017-08-26 12:14 UTC] cmb@php.net
[2017-09-06 09:52 UTC] cmb@php.net
-Status: Suspended
+Status: Closed
[2020-02-07 06:06 UTC] phpdocbot@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Jul 12 07:01:30 2025 UTC |
Description: ------------ The SessionHandleInterface example allows users to read or write arbitrary files on the system by passing an evil session id: function read($id): file_get_contents("$this->savePath/sess_$id"); function write($id): file_put_contents("$this->savePath/sess_$id", $data); $id is the value of the SESSID cookie and it is allowed to contain any string, including "/../var/www/backdoor.php". Since this is a documentation example, users are expecting it to be correct, and might copy/paste it as-is.