Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.

what other information do you need? its a very simple bug and easy to test, the only think I havent done that is on the how to report page is tested the cvs version.  when I submitted the report I was told to add a 'brief' description of the problem so for that reason it wasnt detailed, then I was asked to provide the code that you can test with also provided and finally the php version and os version both supplied.

apache version is 1.3.37
php reccomended ini file used changes were open base dir and zone optimiser and eaccelerator, however tried with both zend optimiser and eaccelerator and the behaviour remained.
mysql version 4.1.x but this is just basic php code no database involved.

What you said is just "include "/etc/passwd" displays the contents of this file".

Why do you think open_basedir is even set? What is the value? Where did you set it? How did you set it? What is the value in phpinfo()? Did you check it with other files?
I'll add more questions afterwards.

ok here is info your requested

include("/etc/passwd"); is the exact line I used in the php file, this generates the following in the apache error_log for the vhost.

[Wed Sep 13 20:51:48 2006] [error] PHP Warning:  main() [<a href='function.main'>function.main</a>]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/chrysalis/:/tmp/:/var/www/:/var/uebimiau:/usr/local/lib/php/:/etc/virtual/:/usr/uebimiau) in /home/chrysalis/domains/chrysalisnet.org/public_html/exploit.php on line 17
[Wed Sep 13 20:51:48 2006] [error] PHP Warning:  main(/etc/passwd) [<a href='function.main'>function.main</a>]: failed to open stream: Operation not permitted in /home/chrysalis/domains/chrysalisnet.org/public_html/exploit.php on line 17

this indicates to me open_basedir is in effect as its generating the correct log entry but then the /etc/passwd is displayed in the browser window.

in phpinfo I get the following data for open_basedir local value.

open_basedir	/home/chrysalis/:/tmp/:/var/www/:/var/uebimiau:/usr/local/lib/php/:/etc/virtual/:/usr/uebimiau

master value is the same with 1 extra dir /etc/awstats

url temporarily up for your conveniance http://www.chrysalisnet.org/phpinfo.php

the master value is set in php.ini the local value is set in a vhost container in httpd.conf using "php_admin_value open_basedir"

I checked the exact same script on php 5.1.5 which has the same php settings other then php 5 specific settings and works as it should, I am about to try with php 4.4.3 to see if that has the same behaviour.

What if you set it in php.ini instead of httpd.conf?

And please disable (temporarily) eAccelerator and all other modules which affect PHP functionality.

ok the modules are now disabled, its already set in php.ini I believed this is just for the master value?

Or do you want it completely removed from the vhost container so there is only a master value?

ok this is now working I apologise as I remember doing this before and there was still a problem, I will leave the modules disabled until you are ready or for an hour or so.

Yes, only php.ini, no php_admin_* directives.

ok the httpd.conf removed

So, does it work for you now?

its now working with both zend optimiser and eaccelerator and the local basedir value enabled in httpd.conf.  I turned off caching to disk in eaccelerator which means its flushed on every apache restart, I guess the problem may have been a cached copy of the script or just some freak occurance.  I will disable the disk caching on the 2nd machine as well (this happening on 2 different servers but setup same way) and see if that fixes it for that machine.

Ok, I'm marking it as bogus so far.
Please reopen the report when/if you have some more information. Thanks.

hi again.

I think the previous finding may be wrong, the 2nd maching doesnt have either zend optimiser or eaccelerator installed so is just php with no additional modules loaded, it has no master open_basedir value but a local open_basedir value specified in httpd.conf vhost, the value displays as it should in phpinfo.  however is been ignored and I dont even get log entries saying access denied it simply seems to not be triggered at all.

phpinfo here as this isnt my webspace I just admin the server I cant keep it up for long.

http://www.dalme.nl/info.php

this 2nd server is php 4.4.4 again and freebsd 5.4

ok I checked the php log file specified in php.ini and this is giving the relevant open basedir warnings as below.

[19-Sep-2006 13:17:45] PHP Warning:  main() [<a href='function.main'>function.main</a>]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s)

no errors in httpd error log tho which happens on other servers and of course no actual blocking of the request.

See bug #38670.
Please add information to that report if you have anything useful to add.