[php-maint] Bug#766147: Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Ondřej Surý ondrej at sury.org
Tue Oct 21 09:09:05 UTC 2014

On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > Von: Ondřej Surý [mailto:ondrej at sury.org]
> > 
> > Hi,
> > 
> > TL;DR: "s/touch -c/touch -c -h/", right?
> This will fix it for arbitrary symlinks, the only remaining issues would
> be
> a) keeping open a file ".. xxxx", which will update the parent directory
> modification time.

Which parent directory? The session dir or the symlink targe parent

> b) keeping open a file "[otherfilename] [random]", which will prevent
> arbitrary other sessions from timing out. Since most likely malicious
> process should be "www-data", this is not of any significance.

The httpd user (www-data) has access to all session files if the
attacker know the session name.

Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

More information about the pkg-php-maint mailing list