[php-maint] Bug#766147: AW: Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Fiedler Roman Roman.Fiedler at ait.ac.at
Tue Oct 21 09:16:01 UTC 2014

> Von: Ondřej Surý [mailto:ondrej at sury.org]
> On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > Von: Ondřej Surý [mailto:ondrej at sury.org]
> > >
> > > Hi,
> > >
> > > TL;DR: "s/touch -c/touch -c -h/", right?
> >
> > This will fix it for arbitrary symlinks, the only remaining issues would
> > be
> >
> > a) keeping open a file ".. xxxx", which will update the parent directory
> > modification time.
> Which parent directory? The session dir or the symlink targe parent
> directory?

The /var/lib directory: Since the the parsing of the lsof output is broken (awk uses "$9"), an open file ".. xxxx" will cause touch -c "/var/lib/php5/.." without involving any symlinks.
> > b) keeping open a file "[otherfilename] [random]", which will prevent
> > arbitrary other sessions from timing out. Since most likely malicious
> > process should be "www-data", this is not of any significance.
> The httpd user (www-data) has access to all session files if the
> attacker know the session name.

Yes, so no relevance with "www-data". But e.g. user "nobody" could prevent any "www-data" session from timing out when knowing the name, just a subtle annoyance.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6344 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20141021/cb46b142/attachment.bin>

More information about the pkg-php-maint mailing list