|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #13207 open_basedir not restricting file access properly
Submitted: 2001-09-07 19:09 UTC Modified: 2005-01-31 23:23 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: jedi at tstonramp dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 4.0.6 OS: NT 4.0
Private report: No CVE-ID: None
 [2001-09-07 19:09 UTC] jedi at tstonramp dot com
Script is as follows:


I'm running IIS 4.0 on NT 4.0 SP6.  This code is running in my web servers default web site.  I AM doing Virtual Web hosting using Host Header method, not multiple IPs. The anonymous web user for the virtual web server in question let's say is called: anon

When the script is run and anon is *denied* permissions to C:\ the following error is generated:

Warning: MkDir failed (Permission denied) in C:\InetPub\wwwroot\php\test.php on line 2

and PHPInfo displays open_basedir as being: C:\inetpub

(This is good.)

When I go in and grant user anon "Change" privileges to C:\ (I do NOT apply to all subdirectories) and re-run the script then:

I get NO error message and __THE DIRECTORY IS CREATED__ as C:\test

This is bad.  VERY bad.  I need to be able to rely on open_basedir preventing __ANY__ file access outside of C:\inetpub.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-09-07 21:25 UTC]
You don't have open_basedir enabled.  The error message from an open_basedir restriction is not "permission denied".  Does your phpinfo() output tell you that open_basedir is in effect?
 [2001-09-10 02:20 UTC] jedi at tstonramp dot com
Unless there is some other configuration I'm not aware of, I mentioned in the bug report that I have open_basedir enabled in that it says


as my open_basedir value when I do phpinfo()

If there's something wrong with the path format, I guess I could understand that, although I've seen other Win-style path formats in phpinfo that take the same format.
 [2001-11-11 12:20 UTC]
Try using a slahs (/) or a double backslash (\\) instead of a single backslash. Does that work?
 [2001-12-02 04:47 UTC]
Reproduced with 4.1.0RC4 on Windows 2000 with Apache 1.3.22!
Is this a bug or non-documented behaviour???
 [2002-06-03 12:16 UTC]
Thank you for taking the time to report a problem with PHP.
Unfortunately your version of PHP is too old -- the problem
might already be fixed. Please download a new PHP
version from

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.

PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Jul 15 03:01:24 2020 UTC