Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:11572
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Date: Mon, 26 Jul 2004 10:39:42 +0200
Message-ID: <1241018000.20040726103942@vrana.cz>
To: internals@lists.php.net
Cc: Peter Brodersen <php@ter.dk>
In-Reply-To: <20040725155303.2C25.PHP@ter.dk>
References: <20040725155303.2C25.PHP@ter.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: Bugreports - is it worth it? (or: glob() disclosing file names with open_basedir and safe_mode-restriction)
From: vrana@php.net (Jakub Vrana)

> Is there any way restricting people from retrieving file names (where
> open_basedir and safe_mode obviously won't help), besides adding glob to
> disable_functions in php.ini?

If I understand you correctly, only files owned by script owner (thus
potentially Apache user) are disclosed.

Because sessions in common directory are not secure independently
whether you can read the session filenames or not (you can reveal it
from some logs), it's better to store session files in different
directories for each virtual host.

This way, user can read other user's session filenames but she can't use
it for anything.

We use it on my company's hosting and I believe it's secure enough.

P.S. I'm on your side with securing glob() but it will not solve all
security risks with session files stored in common directory.

Jakub Vrana