From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 Description of problem: In /etc/php.ini, session.save_path is set to /tmp, which is world-readable. This would allow an attacker to get anyone's session info. Version-Release number of selected component (if applicable): php-4.2.2-17 How reproducible: Always Steps to Reproduce: 1. Install RH9 with php 2. See /etc/php.ini for session.save_path 3. Additional info:
The files are created with permissions 0600 though - how can this allow an attacker to retrieve session information?
It looks like the files are not created with O_EXCL, which means a local attacker could possibly subvert a new session, if they can predict the session key. I'm not sure how predictable session keys are - have you researched that?
My gut feel says that since these files are usually created by whatever user is running apache, that even O_EXCL isn't going to be sufficient, since you can do "ls /tmp". A rogue PHP script would do the trick on a shared server of some sort, like found with many hosting companies. Please reference http://www.webkreator.com/php/configuration/php-session-security.html for a bit more info.
Ah, thanks. You can fix all this by appropriate configuration, but the defaults are not ideal, I agree. In a vhosted environment you can set a separate save_path for each vhost in httpd.conf, like: php_admin_value session.save_path /private/space/for/vhost
Downgrading this from "security" severity since it's really a configuration issue.
I strongly disagree with the downgrade from security status. This may appear to be just a configuration issue, but the Red Hat default configuration is vulnerable to session hijacking.
This is fixed in Raw Hide for future releases, by adding /var/lib/php/session which has permissions of 0700 is owned by apache; the default php.ini now uses: session.save_path = /var/lib/php/session Thanks for the report.