Date: Sun, 08 Feb 2015 14:49:12 -0800 From: Stanislav Malyshev <smalyshev@...il.com> To: Kurt Seifried <kseifried@...hat.com>, security@....net, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: CVE-2013-6501 php: predictible filename used for cache in world writable directory Hi! > https://bugzilla.redhat.com/show_bug.cgi?id=1009103 > > not sure if this got fixed or not, PHP can you comment? This seems to be easily fixed by proper configuration (i.e. having soap.wsdl_cache_dir set to a directory accessible only to the user running PHP, or, on the shared host, having per-user config for each user) but I'm not sure how to fix it in the generic case since that directory wouldn't exist by default. On specific package - like RH - it could create a separate directory - like /tmp/php-wsdl-cache - with web server permissions and set the variable to use it - but since default PHP install has no install scripts not sure yet how to improve it in a generic way. -- Stas Malyshev smalyshev@...il.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ