Red Hat Bugzilla – Bug 89975
php session.save_path insecure
Last modified: 2007-04-18 12:53:24 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225
Description of problem:
In /etc/php.ini, session.save_path is set to /tmp, which is world-readable.
This would allow an attacker to get anyone's session info.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install RH9 with php
2. See /etc/php.ini for session.save_path
The files are created with permissions 0600 though - how can this allow an
attacker to retrieve session information?
It looks like the files are not created with O_EXCL, which means a local
attacker could possibly subvert a new session, if they can predict the session
key. I'm not sure how predictable session keys are - have you researched that?
My gut feel says that since these files are usually created by whatever user is
running apache, that even O_EXCL isn't going to be sufficient, since you can do
"ls /tmp". A rogue PHP script would do the trick on a shared server of some
sort, like found with many hosting companies.
for a bit more info.
You can fix all this by appropriate configuration, but the defaults are not
ideal, I agree. In a vhosted environment you can set a separate save_path for
each vhost in httpd.conf, like:
php_admin_value session.save_path /private/space/for/vhost
Downgrading this from "security" severity since it's really a configuration issue.
I strongly disagree with the downgrade from security status. This may appear to
be just a configuration issue, but the Red Hat default configuration is
vulnerable to session hijacking.
This is fixed in Raw Hide for future releases, by adding
/var/lib/php/session which has permissions of 0700 is owned by apache;
the default php.ini now uses:
session.save_path = /var/lib/php/session
Thanks for the report.