Bug 89975 - php session.save_path insecure
Summary: php session.save_path insecure
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: php   
(Show other bugs)
Version: 9
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2003-04-30 17:48 UTC by Tom Wood
Modified: 2007-04-18 16:53 UTC (History)
0 users

Fixed In Version: 4.3.4-5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-01-21 17:42:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Tom Wood 2003-04-30 17:48:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
In /etc/php.ini, session.save_path is set to /tmp, which is world-readable. 
This would allow an attacker to get anyone's session info.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install RH9 with php
2. See /etc/php.ini for session.save_path

Additional info:

Comment 1 Joe Orton 2003-05-06 15:45:40 UTC
The files are created with permissions 0600 though - how can this allow an
attacker to retrieve session information?

Comment 2 Joe Orton 2003-05-06 15:57:01 UTC
It looks like the files are not created with O_EXCL, which means a local
attacker could possibly subvert a new session, if they can predict the session
key.  I'm not sure how predictable session keys are - have you researched that?

Comment 3 Tom Wood 2003-05-07 00:22:53 UTC
My gut feel says that since these files are usually created by whatever user is
running apache, that even O_EXCL isn't going to be sufficient, since you can do
"ls /tmp".  A rogue PHP script would do the trick on a shared server of some
sort, like found with many hosting companies.

Please reference
for a bit more info.

Comment 4 Joe Orton 2003-05-07 09:18:51 UTC
Ah, thanks.

You can fix all this by appropriate configuration, but the defaults are not
ideal, I agree.  In a vhosted environment you can set a separate save_path for
each vhost in httpd.conf, like:

  php_admin_value session.save_path /private/space/for/vhost

Comment 5 Joe Orton 2003-05-16 11:30:40 UTC
Downgrading this from "security" severity since it's really a configuration issue.

Comment 6 Tom Wood 2003-05-17 02:34:11 UTC
I strongly disagree with the downgrade from security status.  This may appear to
be just a configuration issue, but the Red Hat default configuration is
vulnerable to session hijacking.

Comment 7 Joe Orton 2004-01-21 17:42:28 UTC
This is fixed in Raw Hide for future releases, by adding
/var/lib/php/session which has permissions of 0700 is owned by apache;
the default php.ini now uses:

session.save_path = /var/lib/php/session

Thanks for the report.

Note You need to log in before you can comment on or make changes to this bug.