CVE-2007-1835 in PHP
Summary
by MITRE
PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/13/2025
This vulnerability exists in PHP versions prior to 4.4.5 and 5.2.1 where the session handling mechanism fails to properly enforce open_basedir restrictions when session.save_path is configured as an empty string. The flaw occurs because PHP checks for restrictions but then falls back to using the TMPDIR environment variable as the default session save path, effectively bypassing the intended security boundaries. This behavior creates a significant security risk as local attackers can manipulate session storage locations to access files outside the designated safe directories.
The technical implementation of this vulnerability stems from the improper handling of session save path validation in PHP's session management module. When session.save_path is set to an empty value, the PHP runtime should enforce strict restrictions on where session files can be created. However, instead of maintaining the security boundary, the system defaults to TMPDIR, which typically points to a location outside the open_basedir restrictions. This fallback mechanism creates an unintended access path that undermines the security model designed to prevent unauthorized file access.
The operational impact of this vulnerability is substantial as it allows local users to bypass critical PHP security controls. Attackers can leverage this flaw to read files that should normally be restricted by open_basedir, potentially accessing sensitive data, configuration files, or system information. The vulnerability is particularly dangerous in shared hosting environments where multiple users operate under the same PHP configuration, as it enables privilege escalation and information disclosure attacks. This bypass affects the fundamental security architecture of PHP applications that rely on open_basedir for protection.
Security mitigations for this vulnerability include updating PHP installations to versions 4.4.5 or 5.2.1 and later, which contain the proper session path validation. Administrators should also ensure that session.save_path is explicitly configured with valid, secure directories rather than leaving it empty. Additionally, implementing proper environment variable sanitization and monitoring for unauthorized changes to TMPDIR can help detect potential exploitation attempts. This vulnerability aligns with CWE-276, which addresses improper privilege management, and maps to ATT&CK technique T1059.007 for execution through PHP scripts. Organizations should conduct comprehensive security audits of their PHP configurations and ensure that all session-related parameters are properly validated to prevent similar bypass scenarios.