php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #55761 System php functions do not respect open_basedir allowed paths
Submitted: 2011-09-22 09:26 UTC Modified: 2011-09-22 09:36 UTC
From: enrico dot simonetti at gmail dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 5.3.8 OS: Linux 2.6.35-30-generic
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: enrico dot simonetti at gmail dot com
New email:
PHP Version: OS:

 

 [2011-09-22 09:26 UTC] enrico dot simonetti at gmail dot com 
Description:
------------
On Apache I have:

<Directory "/var/www/sample/locked">
php_admin_value open_basedir "/var/www/sample/locked"
</Directory>

The test script will be located on /var/www/sample/locked/test.php

It will try to read with a system() call something outside my open_basedir scope.

Eg: system('ls -la ../');



Test script:
---------------
<?php

system('ls -la ../');

system('cat ../disallowedfolder/credentials.php');

Expected result:
----------------
I should not see any output.

Actual result:
--------------
I can list the folders on the path outside my open_basedir

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-22 09:36 UTC] pajoye@php.net
-Status: Open +Status: Bogus
 [2011-09-22 09:36 UTC] pajoye@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

PHP only controls its own file access, not external applications.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 18:01:31 2024 UTC