php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #36297 Bypass open_basedir on windows
Submitted: 2006-02-05 18:42 UTC Modified: 2006-02-05 22:05 UTC
Votes:6
Avg. Score:5.0 ± 0.0
Reproduced:6 of 6 (100.0%)
Same Version:4 (66.7%)
Same OS:6 (100.0%)
From: smartgenius1 at yahoo dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 5.1.2 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2006-02-05 18:42 UTC] smartgenius1 at yahoo dot com 
Description:
------------
The function chdir() does NOT obey the open_basedir restriction on windows. Chdir() ONLY checks the UID of the directories; and on Windows there are no UIDs. So it is possible to do

chdir("../");

and it works on windows; even if the open_basedir restriction is set to "."; which should be blocking it.

And to make sure I had open_basedir restriction configured correctly; I tried this:

opendir("../");

and sure enough; an error stating that the restriction was on.

Reproduce code:
---------------
<?
chdir("../");
?>

Expected result:
----------------
A PHP error stating that the open_basedir restriction was on

Actual result:
--------------
It worked. No errors at all; and I was able to open the directory with

opendir(getcwd());

after changing the current working directory to the above directory.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-05 19:13 UTC] smartgenius1 at yahoo dot com 
I was also able to unlink() files; and also fwrite() things as well. I had full permissions; as if I was working in ./ and no error ever occured.
 [2006-02-05 20:24 UTC] tony2001@php.net 
What is the value of open_basedir?
 [2006-02-05 20:25 UTC] smartgenius1 at yahoo dot com 
I have it set to "."
 [2006-02-05 20:27 UTC] derick@php.net 
Well.... "." is the current working directory, so ofcourse you can read it then...
 [2006-02-05 20:28 UTC] tony2001@php.net 
And what if you try to set it to the real path instead of "."?
I doubt that PHP is able to distinguish "." when you're in /path/1 from "." when you're in "/another/path".
 [2006-02-05 20:29 UTC] tony2001@php.net 
No bug here.
 [2006-02-05 20:30 UTC] smartgenius1 at yahoo dot com 
I said i can reach UPPER LEVEL directories. (../)

Any other file system functions wont let me do that. Just chdir().
 [2006-02-05 20:41 UTC] tony2001@php.net 
What Derick said.
 [2006-02-05 20:45 UTC] smartgenius1 at yahoo dot com 
Sir, you must not be reading it correctly.

I have open_basedir set to "."; which should only allow functions to access files in the current directory and under.

I am able to change the directory to an above directory with chdir(); that is NOT a file in the cwd or lower.

I can have a script working in

System/Files/script.php

with open_basedir set to "."; I cannot do

include("../anyfile.php");
file("../anyfile.php");

or any other thing that access the above directory...

so why can I do

chdir("../");
include("anyfile.php");

?

The chdir() function should check to make sure that the directory argument is within the allowed paths of open_basedir; which it doesnt.

Hope this clarifys my concern.

~Sean
 [2006-02-05 21:26 UTC] smartgenius1 at yahoo dot com 
This bug is NOT bogus. The support here will just not take the time to read what I am trying to say.

chdir() should check the open_basedir restriction. It doesnt.

I was able to get into my friends computer, because he believed that the open_basedir restriction and safe_mode would prevent people from accessing his files. This function did not follow the open_basedir restriction and let me get into his system files. Anybody that is thinking about hosting or letting other people use PHP on their windows computer... they need to know about this.

This is not a bogus bug. This is a very critical bug; but nobody will take the time to read through it.

I guess its OK that tons of windows users trust the open_basedir restriction enough to think that this type of thing cannot happen. Boy wont they be in a surprise when somebody uses this exploit and erases their entire computer.

Good day.

~Sean
 [2006-02-05 21:33 UTC] smartgenius1 at yahoo dot com 
Ah well. The least you guys should do is put up a warning on the chdir() page that Windows does not have UIDs.
 [2006-02-05 21:54 UTC] judas dot iscariote at gmail dot com 
smartgenius1: can you RTFM please ?

http://php.net/manual/en/features.safe-mode.php#ini.open-basedir

you **should** use absolute paths ???

i.e open_basedir = /path/to/your/data/
 [2006-02-05 22:00 UTC] tony2001@php.net 
"The restriction specified with open_basedir is actually a prefix, not a directory name." (c)
 [2006-02-05 22:02 UTC] smartgenius1 at yahoo dot com 
Aaah ok. I see

"The special value .  indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir()."

I am very sorry if I seemed to cause any problems. I have looked at that before; but just overlooked that. Mistake.

Sorry again
Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 09:01:27 2024 UTC