PHP session.save_path Security Restriction Bypass

The session save path function returns the path of the current directory that is being used to save session data. There are many servers with this vulnerability. This vulnerability exists due to an error while handling the session.save_path function. The session.save_path function changes the path used to save cookie data. This vulnerability can be exploited by an attacker through local access to bypass open_basedir restrictions. PHP with versions before 4.4.4 and with versions before 5.2.0 allowed an attacker to bypass security restrictions locally. This exploit existed due to a bug in session.save_path function that allowed an attacker to send an empty value to session.save_path function. This step by the attacker allowed him to bypass open_basedir restrictions.

The steps involved in this attack are:-

1. Gain local access to the victim server.
2. The attacker will modify tmpdir and place it in a directory where the attacker has full access.
3. An empty value is sent to session.save_path. There is no official patch for this vulnerability by PHP. But, there are 3rd party updates as a fix for this vulnerability.

Example

The below code is an example of session_save_path().

        string session_save_path ([ string $path ] )

    

The above function returns the path.

Impact

Using this vulnerability, an attacker can:-

• perform Cross-Site Request Forgery (CSRF)
• manipulate sensitive information
• leak sensitive information
• gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

• Try to patch the bug using reliable 3rd party suppliers because PHP has not fixed this bug yet. Make sure to restrict the access to the systems to trusted users.

Written by

Sooraj V Nair

Cyber Security Engineer