From nobody@FreeBSD.org  Thu Sep 10 09:37:07 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 877671065670
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Sep 2009 09:37:07 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 76CEE8FC1C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Sep 2009 09:37:07 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n8A9b7Du066193
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Sep 2009 09:37:07 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n8A9b76V066192;
	Thu, 10 Sep 2009 09:37:07 GMT
	(envelope-from nobody)
Message-Id: <200909100937.n8A9b76V066192@www.freebsd.org>
Date: Thu, 10 Sep 2009 09:37:07 GMT
From: "Maciej Andzi&#324;ski" <andzinsm@volt.iem.pw.edu.pl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: PHP session.save_path vulnerability
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         138698
>Category:       ports
>Synopsis:       lang/php5: PHP session.save_path vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ale
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 10 09:40:02 UTC 2009
>Closed-Date:    Wed Sep 23 08:54:31 UTC 2009
>Last-Modified:  Wed Sep 23 08:54:31 UTC 2009
>Originator:     Maciej Andzi&#324;ski
>Release:        9.0-CURRENT
>Organization:
PW
>Environment:
FreeBSD volt.iem.pw.edu.pl 9.0-CURRENT FreeBSD 9.0-CURRENT #0: Sat Sep  5 18:59:28 CEST 2009     ato@volt.iem.pw.edu.pl:/tmp/obj/usr/src/sys/VOLT  amd64
>Description:
Default PHP session handler is "file" and default place for saving sessions is directory "/tmp". Permissions allow user WWW to list contents of directory with session files.
>How-To-Repeat:
Script below shows ID numbers of current PHP sessions:

<?PHP

$dir = ini_get("session.save_path");
$dh = opendir($dir);
while(($file = readdir($dh)) !== false) {
        if(preg_match("/sess_([a-z0-9]+)/", $file, $matches))
                print $matches[1]."\n";
}

?>

Having correct session ID number it is easy to read session data.

>Fix:

In some linux systems this problem is solved by changing directory and permissions of session files.

I suggest patch php.ini files:

--- php.ini-dist.orig	2009-09-09 18:22:53.000000000 +0200
+++ php.ini-dist	2009-09-09 18:22:53.000000000 +0200
@@ -991,3 +991,3 @@
 ; does not overwrite the process's umask.
-;session.save_path = "/tmp"
+session.save_path = "/var/lib/php5"


--- php.ini-recommended.orig	2009-09-09 18:22:53.000000000 +0200
+++ php.ini-recommended	2009-09-09 18:22:53.000000000 +0200
@@ -1042,3 +1042,3 @@
 ; does not overwrite the process's umask.
-;session.save_path = "/tmp"
+session.save_path = "/var/lib/php5"


and add following command to install script:
mkdir -o www -m 01733 /var/lib/php5


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-www->freebsd-ports 
Responsible-Changed-By: remko 
Responsible-Changed-When: Thu Sep 10 10:24:18 UTC 2009 
Responsible-Changed-Why:  
reassign to ports team; this has nothing to do with the webmasters queue 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138698 

From: Miroslav Lachman <000.fbsd@quip.cz>
To: bug-followup@FreeBSD.org,  andzinsm@volt.iem.pw.edu.pl
Cc:  
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 13:14:32 +0200

 I don't know what you are trying to solve.
 
 If PHP runs under user www (Apache), it can still read the content of 
 the directory.
 If you want to disallow access to sessions of different domains 
 (VirtualHosts), you can do it by using different session.save_path for 
 each domain.
 
 In context of VirtualHost for www.domain1.tld:
      php_admin_value    session.save_path    /web/www.domain1.tld/tmp
 
 
 In context of VirtualHost for www.domain2.tld:
      php_admin_value    session.save_path    /web/www.domain2.tld/tmp

From: Maciej Andzinski <andzinsm@volt.iem.pw.edu.pl>
To: Miroslav Lachman <000.fbsd@quip.cz>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 13:58:42 +0200 (CEST)

 The problem is in permissions and that is what I suggest to fix. Bu you 
 are right, I've made a mistake - the owner of /var/lib/php5 should be 
 root, not www.
 
 I suggest changing permissions to 01733 (rwx-wx-wt), it can prevent 
 session numbers leaking.
 
 Is it clear now?

From: Miroslav Lachman <000.fbsd@quip.cz>
To: bug-followup@FreeBSD.org,  andzinsm@volt.iem.pw.edu.pl
Cc:  
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 20:49:14 +0200

 Yes, it is clear now and with owner root, it works.
 
 I propose to make this optional, as somebody has /tmp optimized for 
 better speed (another disk device, flash device, RAM disk etc.) but not 
 /var/lib/php5.
 And FreeBSD doesn't have /var/lib by default. /var/lib/* is mostly used 
 by some Linux distributions). I am not sure if it is the right place to 
 put these files, according to man hier(7).
 Next thing to think about is, that /tmp is (or easily can be) cleared at 
 system startup, but /var/*/* not.
 If we do some change in default php.ini, it affects more then just 
 "files are moved to another place", so things need to be done carefully.
 
 Maybe leave the default as is and put these hardening steps in comments 
 in php.ini, then anybody can make own decision.

From: Maciej =?ISO-8859-2?Q?Andzi=F1ski?= <andzinsm@volt.iem.pw.edu.pl>
To: Miroslav Lachman <000.fbsd@quip.cz>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Sun, 13 Sep 2009 18:38:44 +0200

 I am linux user, so maybe you could recomend better location in FreeBSD than /var/lib/php5? I am also thinking where to add "mkdir" command, is there any special place in makefile? What do you think?
Responsible-Changed-From-To: freebsd-ports->ale 
Responsible-Changed-By: miwi 
Responsible-Changed-When: Sat Sep 19 18:35:31 UTC 2009 
Responsible-Changed-Why:  
over to php maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138698 
State-Changed-From-To: open->closed 
State-Changed-By: ale 
State-Changed-When: Wed Sep 23 08:52:46 UTC 2009 
State-Changed-Why:  
It's a configuration problem, you have many ways to solve it: 
- use open_basedir 
- use php-suhosin 
- your proposed solution 
- ... 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138698 
>Unformatted:
