Garvin Hicking wrote:
Hi!
securing session data/handling is part of the system not of the application (like some days ago someone said window hijacking is part of the browser not the app)
We would make it too easy for us to say so, especially if we are able to bypass this. If we really just use PHP sessions and pay no attention to their security, we need to make phpMyAdmin still work without sessions. Most of the shared hosting providers to not ensure different session.save_path settings...
ok, so lets just start with insensitive data, like charset/lang, selected server/db/table, configuration, windownames aso, query history, aso.
even with open_basedir disabled, to open a file from the tmp dir you need the exact name, as normaly listing dir contents is not allowed
Why do you think that? I can open and list my /tmp directory on all 3 hosts I just checked:
<?php $d = opendir('/tmp'); while (($file = readdir($d)) !== false) { echo $file . "\n"; }
uuh, bad, this is really a misconfiguration! the web (apache and/or php) user should not have read access an this directory! only on the files created by themselves in there!