Vigil@nce: PHP, file creation via session_save_path
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can use the session_save_path() PHP function, in order
to create a file outside allowed directories.
Severity: 1/4
Consequences: data creation/edition
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 11/02/2010
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
The session_save_path() function defines the path of the directory
where PHP has to store files containing session information. This
function supports an advanced syntax to define the number of
sub-directories:
session_save_path("5;/data/session");
However, by using several ’;’ characters, an attacker can define
another directory, which is not checked:
session_save_path(";/data/session;/another_directory");
An attacker can therefore use the session_save_path() PHP
function, in order to create a file outside allowed directories.
CHARACTERISTICS
Identifiers: BID-38182, VIGILANCE-VUL-9443
http://vigilance.fr/vulnerability/PHP-file-creation-via-session-save-path-9443