ID: 30905 User updated by: sat at lomejordeinternet dot net Reported By: sat at lomejordeinternet dot net Status: Bogus Bug Type: Filesystem function related Operating System: Linux Fedora 2 PHP Version: 4.3.9 New Comment:
http://www.php.net/manual/en/features.safe-mode.php#ini.open-basedir "Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off. When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. " It's posible run a system comand con /bin when this dir it's not it open_basedir ? Previous Comments: ------------------------------------------------------------------------ [2004-11-26 21:51:35] sat at lomejordeinternet dot net Well. Not bug? If php_admin_value open_basedir restrict to use /XXX /yyy /zzzz but user can with a script onto /XXX , for example he can read /etc or /WWW/XXX/ (this dir not in open_basedir) What this it? ------------------------------------------------------------------------ [2004-11-26 13:12:09] [EMAIL PROTECTED] This is not a bug, PHP can not stop other programs from going into directories protected by open_basedir. ------------------------------------------------------------------------ [2004-11-26 13:02:56] sat at lomejordeinternet dot net Description: ------------ http://ns11.hostinglmi.net/phpinfo.php In this circustances, with open_basedir on httpd.conf (<IfModule mod_php4.c> php_admin_value open_basedir "/home/xn3m/:/usr/lib/php:/usr/local/lib/php:/tmp" </IfModule> ) If execute certain local exploit such file attached, user can read any dir with grup other read permission. Reproduce code: --------------- ns3.hostinglmi.net/cmd.txt ns3.hostinglmi.net/bug_openbasedir.png (This machine don't work already bug becase added to php.ini disable_functions = passthru,exec,shell_exec,proc_open) Expected result: ---------------- Use cat comand for see any file with password (config.php of several scripts,..) Use ls for see structure filesystem... ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=30905&edit=1
