php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #30905 open_basedir don't work
Submitted: 2004-11-26 13:02 UTC Modified: 2005-01-31 23:21 UTC
From: sat at lomejordeinternet dot net Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 4.3.9 OS: Linux Fedora 2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sat at lomejordeinternet dot net
New email:
PHP Version: OS:

 

 [2004-11-26 13:02 UTC] sat at lomejordeinternet dot net 
Description:
------------
http://ns11.hostinglmi.net/phpinfo.php

In this circustances, with open_basedir on httpd.conf (<IfModule mod_php4.c>
php_admin_value open_basedir "/home/xn3m/:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
)

If execute certain local exploit such file attached, user can read any dir with grup other read permission.



Reproduce code:
---------------
ns3.hostinglmi.net/cmd.txt 
ns3.hostinglmi.net/bug_openbasedir.png
(This machine don't work already bug becase added to php.ini disable_functions   = passthru,exec,shell_exec,proc_open)




Expected result:
----------------
Use cat comand for see any file with password (config.php of several scripts,..)
Use ls for see structure filesystem...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-11-26 13:12 UTC] derick@php.net 
This is not a bug, PHP can not stop other programs from going into directories protected by open_basedir.
 [2004-11-26 21:51 UTC] sat at lomejordeinternet dot net 
Well. Not bug?

If php_admin_value open_basedir restrict to use /XXX /yyy /zzzz but user can with a script onto /XXX ,  for example he can read /etc or /WWW/XXX/ (this dir not in open_basedir)

What this it?
 [2004-11-27 14:20 UTC] sat at lomejordeinternet dot net 
http://www.php.net/manual/en/features.safe-mode.php#ini.open-basedir
"Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.

When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. "

It's posible run a system comand con /bin when this dir it's not it open_basedir ?
 [2004-11-27 14:22 UTC] sat at lomejordeinternet dot net 
Or run ls for red list dir out of directory protected for open_basedir ?
 [2004-11-27 15:01 UTC] derick@php.net 
Yes, as I said PHP can not protect against this as it happens outside the PHP program.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 11:01:30 2024 UTC