php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #64296 PHP Realpath Directory Listing
Submitted: 2013-02-25 13:35 UTC Modified: 2021-05-20 12:18 UTC
From: security at hoax dot io Assigned: cmb (profile)
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: Irrelevant OS: *NIX & WIN
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: security at hoax dot io
New email:
PHP Version: OS:

 

 [2013-02-25 13:35 UTC] security at hoax dot io
Description:
------------
Realdir is quite verbose, thus allowing attackers to check if files and folders 
exist using the following Regex "$regexp = "/File\((.*)\) is not within/";"

This has been tested on:
5.4.11 & Above

For a Full PoC please check the Test Script


Test script:
---------------
http://pastebin.com/4LTrARUj


Expected result:
----------------
The Directory List of /

Actual result:
--------------
The Directory List of /

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-05 18:37 UTC] johannes@php.net
This is not specific to realpath but applies to most/all functions which are affected by open_basedir. I don't think open_basedir should or can provide full secrecy. Doing that is the role of the operating system (file system access rights, chroot, ...). The purpose of open_basedir is, in my opinion, more a safety net than a top security feature.

Leaving this open for others to comment, though.
 [2013-03-06 09:33 UTC] security at hoax dot io
Why should open_dir be treated as a safety net?

If a 'end user' can bypass the safety function of open_dir and Safe Mode it should 
be  fixed right,
 [2021-05-20 12:18 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2021-05-20 12:18 UTC] cmb@php.net
If an attacker can run arbitrary scripts, all bets are off.  We do
not classify that as security issue[1].  And having detailed info
regarding the file names in the error log, or on screen during
development is a useful feature, not a bug.

[1] <https://wiki.php.net/security#not_a_security_issue>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 21:01:28 2024 UTC