Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.
Haven’t found anything on this in https://support.wdc.com/download/notes/WD_My_Cloud_Firmware_Release_Notes_04.05.00-342.pdf so i’m currently asking myself if this is already fixed or not?
But not sure if this is a vulnerability and if WD should dispute it because AFAIK this is a standard functionality of PHP (
session.save_handler = files +
session.save_path = "/var/lib/php/sessions") placing this file there and the same will happen on most default PHP applications as well:
When a session is started by a PHP script a session cookie is sent to the client a.k.a. browser requesting the script. This session cookie named PHPSESSID by default contains a 32 character “session” ID which is set to expire when the session ends.
Firefox shows the PHP session cookie. Notice the content which contains the session ID and expires which says end of the session
On the server-side a file named sess_X (replace X with the 32 character session ID) is created in the location specified in session.save_path setting in the php.ini file. This is C:\WINDOWS\Temp for windows and /var/lib/php/session in Linux. This file contains the names of all session variables and their respective values. So when a user whose browser contains the session ID 7iisicf6j2fde3tfverbh9she3 accesses the website the server checks for the file named sess_7iisicf6j2fde3tfverbh9she3 in its session save path and accordingly uses the variables in that file.