Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Path disclosure in PHP 5.3.1

From: Gynvael Coldwind <gynvael () coldwind pl>
Date: Mon, 28 Dec 2009 22:14:52 +0100
Hi,

I don't think this is a new vulnerability / warning.
I saw it 3 months ago in a comment from an anonymous user (on my blog):

English translation (by me, original was in Polish):

2009-09-24 10:39:34: "not one but two" well actually 3 :)
I would like to say that as far as session start goes, there are three
ways (or more) to see the path. The third way is to change the session
string to a very long string (I haven't tested how long it should be), and
we get: Unknown(): Failed to write
session data (files) lub open(/cos/sess_cos, O_RDWR) failed: in ...


The original comment, in Polish:

2009-09-24 10:39:34: "nie jeden a 2 błedy" a dokładnie 3 :)
Chciałem tylko zaznaczyć że jeśli chodzi o session start można wywołać
na 3 sposoby(pewnie istnieje więcej) ścieżkę dostępu. A mianowicie 3 to
zamiana zmiennej sesji na ciąg bardzo długi (nie testowałem dokładnie
ile znaków) po czym dostajemy informacje: Unknown(): Failed to write
session data (files) lub open(/cos/sess_cos, O_RDWR) failed: in ...


Take care,
-- 
gynvael.coldwind//vx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: