Bug 89975

Summary: php session.save_path insecure
Product: [Retired] Red Hat Linux Reporter: Tom Wood <woodt>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 9Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 4.3.4-5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-01-21 17:42:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom Wood 2003-04-30 17:48:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
In /etc/php.ini, session.save_path is set to /tmp, which is world-readable. 
This would allow an attacker to get anyone's session info.

Version-Release number of selected component (if applicable):
php-4.2.2-17

How reproducible:
Always

Steps to Reproduce:
1. Install RH9 with php
2. See /etc/php.ini for session.save_path
3. 

Additional info:

Comment 1 Joe Orton 2003-05-06 15:45:40 UTC
The files are created with permissions 0600 though - how can this allow an
attacker to retrieve session information?

Comment 2 Joe Orton 2003-05-06 15:57:01 UTC
It looks like the files are not created with O_EXCL, which means a local
attacker could possibly subvert a new session, if they can predict the session
key.  I'm not sure how predictable session keys are - have you researched that?

Comment 3 Tom Wood 2003-05-07 00:22:53 UTC
My gut feel says that since these files are usually created by whatever user is
running apache, that even O_EXCL isn't going to be sufficient, since you can do
"ls /tmp".  A rogue PHP script would do the trick on a shared server of some
sort, like found with many hosting companies.

Please reference
http://www.webkreator.com/php/configuration/php-session-security.html
for a bit more info.

Comment 4 Joe Orton 2003-05-07 09:18:51 UTC
Ah, thanks.

You can fix all this by appropriate configuration, but the defaults are not
ideal, I agree.  In a vhosted environment you can set a separate save_path for
each vhost in httpd.conf, like:

  php_admin_value session.save_path /private/space/for/vhost


Comment 5 Joe Orton 2003-05-16 11:30:40 UTC
Downgrading this from "security" severity since it's really a configuration issue.

Comment 6 Tom Wood 2003-05-17 02:34:11 UTC
I strongly disagree with the downgrade from security status.  This may appear to
be just a configuration issue, but the Red Hat default configuration is
vulnerable to session hijacking.

Comment 7 Joe Orton 2004-01-21 17:42:28 UTC
This is fixed in Raw Hide for future releases, by adding
/var/lib/php/session which has permissions of 0700 is owned by apache;
the default php.ini now uses:

session.save_path = /var/lib/php/session

Thanks for the report.