I read that a user can overwrite arbitrary files on the filesystem by specifying a specially crafted value for the PHPSESSID token on login. And it states that it can overwrite other session files or deleting other system related files.
Only logged in user can access the application. We maintain session in the file system. The session file name is the session id prefixed with a string constant. When ever there is a request from the client we take the session id from PHPSESSID and prepend the string constant to the session id and use it as the file name for that session in the file system. Only logged in user can
For example:
PHPSESSID = A3KJHT63XK496LSDNTJ45
session file name i file system will be "STRINGA3KJHT63XK496LSDNTJ45"
What is the possibility of overwriting/deleting an existing file by giving a request like in the following...
POST /login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; ...(truncated)
Cookie: PHPSESSID=../../php.log;
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
login=login&username=user1&password=Password1234
From the above example the session file is created/accessed with the name "STRING../../php.log". This is the one the security vulnerability audit states that since a file name is directly provided then there is a possiblity of that system file being deleted or overwritten.
In this case any crafted string through the session id(for ex is "../../php.log") which is prefixed with some other string constant like "STRING" to give a final string "STRING../../php.log" which becomes in valid. No file names with that exists in a file system and there cannot be any security vulnerability.
Yet, i wanted to know what other vulnerability the above method poses?
