CVE-2010-1130
Description
session.c in the session extension in PHP before 5.2.13, and 5.3.1, does not properly interpret ; (semicolon) characters in the argument to the session_save_path function, which allows context-dependent attackers to bypass open_basedir and safe_mode restrictions via an argument that contains multiple ; characters in conjunction with a .. (dot dot).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP session save path handling in versions before 5.2.13 and 5.3.1 allows bypass of open_basedir and safe_mode via crafted semicolon sequences.
Vulnerability
The session.c component of the PHP session extension improperly interprets semicolon (;) characters in the argument passed to session_save_path(). In PHP versions before 5.2.13 and 5.3.1, an attacker can supply a path argument containing multiple semicolons combined with directory traversal sequences (..) to bypass open_basedir and safe_mode restrictions [1][2][3]. The parser treats the semicolon as a separator between a numeric depth value and a path, but does not sufficiently validate the resulting path, allowing writes outside the intended directory [2][3].
Exploitation
An attacker must have the ability to call session_save_path() (either directly or via ini_set()) with a user-controlled argument, which requires some level of access, typically in a shared hosting or application environment where the function is exposed. The attacker supplies a value such as 0;/tmp/../attacker_controlled_path where the .. component traverses upward from the intended base directory. Multiple semicolons can be injected to confuse the parsing logic and achieve a filesystem path escape [2][3]. No authentication or user interaction beyond the ability to set the session save path is required [2][3].
Impact
Successful exploitation allows an attacker to write session files outside the intended session.save_path directory, thereby bypassing open_basedir and safe_mode restrictions. This can lead to local file creation or overwrite in arbitrary locations (subject to filesystem permissions), potentially enabling further compromise such as code execution if the attacker can control file content and location [1][2][4]. The impact is limited by the PHP process's write permissions on the target filesystem.
Mitigation
PHP 5.2.13 and 5.3.2 (the fix was included in 5.3.2, released after the advisory) contain the proper fix for this vulnerability [1][4]. Users should upgrade to these versions or later. No workaround is available if the session extension is enabled; however, disabling session_save_path() usage or restricting the argument via custom code may be possible in some environments. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
36cpe:2.3:a:php:php:*:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*range: <=5.2.12
- cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:5.3.1:*:*:*:*:*:*:*
- Range: <5.2.13, 5.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- www.php.net/releases/5_2_13.phpnvdPatch
- securityreason.com/securityalert/7008nvdExploit
- secunia.com/advisories/38708nvdVendor Advisory
- www.vupen.com/english/advisories/2010/0479nvdVendor Advisory
- securityreason.com/achievement_securityalert/82nvd
- securitytracker.com/idnvd
- svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.cnvd
- svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.cnvd
- svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.cnvd
- svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.cnvd
- www.php.net/ChangeLog-5.phpnvd
News mentions
0No linked articles in our index yet.