php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30905 open_basedir don't work
Submitted: 2004-11-26 13:02 UTC Modified: 2005-01-31 23:21 UTC
From: sat at lomejordeinternet dot net Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 4.3.9 OS: Linux Fedora 2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sat at lomejordeinternet dot net
New email:
PHP Version: OS:

 

 [2004-11-26 13:02 UTC] sat at lomejordeinternet dot net
Description:
------------
http://ns11.hostinglmi.net/phpinfo.php

In this circustances, with open_basedir on httpd.conf (<IfModule mod_php4.c>
php_admin_value open_basedir "/home/xn3m/:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
)

If execute certain local exploit such file attached, user can read any dir with grup other read permission.



Reproduce code:
---------------
ns3.hostinglmi.net/cmd.txt 
ns3.hostinglmi.net/bug_openbasedir.png
(This machine don't work already bug becase added to php.ini disable_functions   = passthru,exec,shell_exec,proc_open)




Expected result:
----------------
Use cat comand for see any file with password (config.php of several scripts,..)
Use ls for see structure filesystem...




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-11-26 13:12 UTC] derick@php.net
This is not a bug, PHP can not stop other programs from going into directories protected by open_basedir. 
 [2004-11-26 21:51 UTC] sat at lomejordeinternet dot net
Well. Not bug?

If php_admin_value open_basedir restrict to use /XXX /yyy /zzzz but user can with a script onto /XXX ,  for example he can read /etc or /WWW/XXX/ (this dir not in open_basedir)

What this it?
 [2004-11-27 14:20 UTC] sat at lomejordeinternet dot net
http://www.php.net/manual/en/features.safe-mode.php#ini.open-basedir
"Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.

When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. "

It's posible run a system comand con /bin when this dir it's not it open_basedir ?
 [2004-11-27 14:22 UTC] sat at lomejordeinternet dot net
Or run ls for red list dir out of directory protected for open_basedir ?
 [2004-11-27 15:01 UTC] derick@php.net
Yes, as I said PHP can not protect against this as it happens outside the PHP program.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Mar 23 00:01:26 2019 UTC