Bug 89975 - php session.save_path insecure
php session.save_path insecure
Product: Red Hat Linux
Classification: Retired
Component: php (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-04-30 13:48 EDT by Tom Wood
Modified: 2007-04-18 12:53 EDT (History)
0 users

See Also:
Fixed In Version: 4.3.4-5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-01-21 12:42:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tom Wood 2003-04-30 13:48:09 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
In /etc/php.ini, session.save_path is set to /tmp, which is world-readable. 
This would allow an attacker to get anyone's session info.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install RH9 with php
2. See /etc/php.ini for session.save_path

Additional info:
Comment 1 Joe Orton 2003-05-06 11:45:40 EDT
The files are created with permissions 0600 though - how can this allow an
attacker to retrieve session information?
Comment 2 Joe Orton 2003-05-06 11:57:01 EDT
It looks like the files are not created with O_EXCL, which means a local
attacker could possibly subvert a new session, if they can predict the session
key.  I'm not sure how predictable session keys are - have you researched that?
Comment 3 Tom Wood 2003-05-06 20:22:53 EDT
My gut feel says that since these files are usually created by whatever user is
running apache, that even O_EXCL isn't going to be sufficient, since you can do
"ls /tmp".  A rogue PHP script would do the trick on a shared server of some
sort, like found with many hosting companies.

Please reference
for a bit more info.
Comment 4 Joe Orton 2003-05-07 05:18:51 EDT
Ah, thanks.

You can fix all this by appropriate configuration, but the defaults are not
ideal, I agree.  In a vhosted environment you can set a separate save_path for
each vhost in httpd.conf, like:

  php_admin_value session.save_path /private/space/for/vhost
Comment 5 Joe Orton 2003-05-16 07:30:40 EDT
Downgrading this from "security" severity since it's really a configuration issue.
Comment 6 Tom Wood 2003-05-16 22:34:11 EDT
I strongly disagree with the downgrade from security status.  This may appear to
be just a configuration issue, but the Red Hat default configuration is
vulnerable to session hijacking.
Comment 7 Joe Orton 2004-01-21 12:42:28 EST
This is fixed in Raw Hide for future releases, by adding
/var/lib/php/session which has permissions of 0700 is owned by apache;
the default php.ini now uses:

session.save_path = /var/lib/php/session

Thanks for the report.

Note You need to log in before you can comment on or make changes to this bug.