PHP :: Bug #33072 :: session_save_path bypass safe

PHP :: Bug #33072 :: session_save_path bypass safe_mode restriction

Bug #33072

session_save_path bypass safe_mode restriction

Submitted:

2005-05-19 23:21 UTC

Modified:

2005-05-21 21:11 UTC

Votes:	2
Avg. Score:	3.0 ± 2.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	0 (0.0%)

From:

andrey at ruweb dot net

Assigned:

rasmus (profile)

Status:

Closed

Package:

Safe Mode/open_basedir

PHP Version:

5.0.4, 4.3.11

OS:

Private report:

CVE-ID:

None

[2005-05-19 23:21 UTC] andrey at ruweb dot net

Description:
------------
(Sorry, I didn't found any reports about that issue. Can't believe nobody reported this yet!)

ini_set('session.save_path','...') works great - it produces an error when user is trying to set session.save_path to directory owned by another user.
But why session_save_path doesn't perform safe_mode checks?

For now with session_save_path any server user can quietly substitute session contents at any site located at the same server if he knows the path to directory where that site's session files stored. :(

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-05-21 17:13 UTC] zxqc2 at dunc dot com dot au

session_save_path also does not perform the open_basedir check.

It does seem reasonable to allow access to the default session.save_path set by the ISP (even if not within the allowable open_basedir path) - which PHP does allow.

However when a script attempts to change it through session_save_path(...) it would make sense to perform this check to prevent access to session directories of other virtual hosts.

I am aware that similar issues have been discussed before, and also that there are better ways to secure sessions, but I thought I'd mention it here for the record.