Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 08 Feb 2015 14:49:12 -0800
From: Stanislav Malyshev <>
To: Kurt Seifried <>,, 
 "" <>
Subject: Re: CVE-2013-6501 php: predictible filename used for cache in world
 writable directory


> not sure if this got fixed or not, PHP can you comment?

This seems to be easily fixed by proper configuration (i.e. having
soap.wsdl_cache_dir set to a directory accessible only to the user
running PHP, or, on the shared host, having per-user config for each
user) but I'm not sure how to fix it in the generic case since that
directory wouldn't exist by default. On specific package - like RH - it
could create a separate directory - like /tmp/php-wsdl-cache - with web
server permissions and set the variable to use it - but since default
PHP install has no install scripts not sure yet how to improve it in a
generic way.
Stas Malyshev

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ