The session save path function returns the path of the current directory that is being used to save session data. There are many servers with this vulnerability. This vulnerability exists due to an error while handling the session.save_path function. The session.save_path function changes the path used to save cookie data. This vulnerability can be exploited by an attacker through local access to bypass open_basedir restrictions. PHP with versions before 4.4.4 and with versions before 5.2.0 allowed an attacker to bypass security restrictions locally. This exploit existed due to a bug in session.save_path function that allowed an attacker to send an empty value to session.save_path function. This step by the attacker allowed him to bypass open_basedir restrictions.
The steps involved in this attack are:-
The below code is an example of session_save_path().
The above function returns the path.
Using this vulnerability, an attacker can:-
Beagle recommends the following fixes:-