[php-maint] Bug#766147: Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
Ondřej Surý
ondrej at sury.org
Tue Oct 21 09:09:05 UTC 2014
On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > Von: Ondřej Surý [mailto:ondrej at sury.org]
> >
> > Hi,
> >
> > TL;DR: "s/touch -c/touch -c -h/", right?
>
> This will fix it for arbitrary symlinks, the only remaining issues would
> be
>
> a) keeping open a file ".. xxxx", which will update the parent directory
> modification time.
Which parent directory? The session dir or the symlink targe parent
directory?
> b) keeping open a file "[otherfilename] [random]", which will prevent
> arbitrary other sessions from timing out. Since most likely malicious
> process should be "www-data", this is not of any significance.
The httpd user (www-data) has access to all session files if the
attacker know the session name.
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
More information about the pkg-php-maint
mailing list