php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33072 session_save_path bypass safe_mode restriction
Submitted: 2005-05-19 23:21 UTC Modified: 2005-05-21 21:11 UTC
Votes:2
Avg. Score:3.0 ± 2.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: andrey at ruweb dot net Assigned: rasmus
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.0.4, 4.3.11 OS:
Private report: No CVE-ID:
 [2005-05-19 23:21 UTC] andrey at ruweb dot net
Description:
------------
(Sorry, I didn't found any reports about that issue. Can't believe nobody reported this yet!)

ini_set('session.save_path','...') works great - it produces an error when user is trying to set session.save_path to directory owned by another user.
But why session_save_path doesn't perform safe_mode checks?

For now with session_save_path any server user can quietly substitute session contents at any site located at the same server if he knows the path to directory where that site's session files stored. :(


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-21 17:13 UTC] zxqc2 at dunc dot com dot au
session_save_path also does not perform the open_basedir check.

It does seem reasonable to allow access to the default session.save_path set by the ISP (even if not within the allowable open_basedir path) - which PHP does allow.

However when a script attempts to change it through session_save_path(...) it would make sense to perform this check to prevent access to session directories of other virtual hosts.

I am aware that similar issues have been discussed before, and also that there are better ways to secure sessions, but I thought I'd mention it here for the record.
 [2005-05-21 21:11 UTC] rasmus@php.net
Fixed in CVS
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 02:02:11 2014 UTC