PHP :: Bug #41654 :: open_basedir bypass via mysql

Bug #41654

open_basedir bypass via mysql_connect()

Submitted:

2007-06-11 17:12 UTC

Modified:

2007-06-15 18:02 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	1 (50.0%)

From:

dr at peytz dot dk

Assigned:

Status:

Wont fix

Package:

Safe Mode/open_basedir

PHP Version:

5.2.3

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2007-06-11 17:12 UTC] dr at peytz dot dk

Description:
------------
file_exists() etc. does not allow checking the existence of files outside the directories specified in open_basedir.

This can be circumvented using mysql_connect(). The existence of a file can be checked using the example code below.


Reproduce code:
---------------
$filename = '/etc/passwd';
mysql_connect(':' . $filename);
$error = error_get_last();
if (strpos($error['message'], '(13)')) {
    print 'file exists';
} else {
    print 'file does not exist';
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-06-12 12:43 UTC] iliaa@php.net

It is quite impractical for PHP to validate things like unix domain 
socket paths for all databases that support them to avoid open_basedir/
safe_mode bypasses. Had the bypass allowed reading of files, I could see 
the need to implement additional checks, but simple "presence" checks 
don't warrant hacks necessary to add such protection.

[2007-06-15 18:02 UTC] dr at peytz dot dk

In this case, PHP doesn't need to validate the socket path. It just shouldn't add the specific error code to the error string. I doubt many people will miss the "(13)" part of the error string.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue May 13 06:01:27 2025 UTC