#36297 [Opn->Bgs]: Bypass open_basedir on windows
ID: 36297 Updated by: [EMAIL PROTECTED] Reported By: smartgenius1 at yahoo dot com -Status: Open +Status: Bogus Bug Type: Safe Mode/open_basedir Operating System: Windows PHP Version: 5.1.2 New Comment: "The restriction specified with open_basedir is actually a prefix, not a directory name." (c) Previous Comments: [2006-02-05 21:54:25] judas dot iscariote at gmail dot com smartgenius1: can you RTFM please ? http://php.net/manual/en/features.safe-mode.php#ini.open-basedir you **should** use absolute paths ¡¡¡ i.e open_basedir = /path/to/your/data/ [2006-02-05 21:33:27] smartgenius1 at yahoo dot com Ah well. The least you guys should do is put up a warning on the chdir() page that Windows does not have UIDs. [2006-02-05 21:26:04] smartgenius1 at yahoo dot com This bug is NOT bogus. The support here will just not take the time to read what I am trying to say. chdir() should check the open_basedir restriction. It doesnt. I was able to get into my friends computer, because he believed that the open_basedir restriction and safe_mode would prevent people from accessing his files. This function did not follow the open_basedir restriction and let me get into his system files. Anybody that is thinking about hosting or letting other people use PHP on their windows computer... they need to know about this. This is not a bogus bug. This is a very critical bug; but nobody will take the time to read through it. I guess its OK that tons of windows users trust the open_basedir restriction enough to think that this type of thing cannot happen. Boy wont they be in a surprise when somebody uses this exploit and erases their entire computer. Good day. ~Sean [2006-02-05 20:45:46] smartgenius1 at yahoo dot com Sir, you must not be reading it correctly. I have open_basedir set to "."; which should only allow functions to access files in the current directory and under. I am able to change the directory to an above directory with chdir(); that is NOT a file in the cwd or lower. I can have a script working in System/Files/script.php with open_basedir set to "."; I cannot do include("../anyfile.php"); file("../anyfile.php"); or any other thing that access the above directory... so why can I do chdir("../"); include("anyfile.php"); ? The chdir() function should check to make sure that the directory argument is within the allowed paths of open_basedir; which it doesnt. Hope this clarifys my concern. ~Sean [2006-02-05 20:41:55] [EMAIL PROTECTED] What Derick said. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/36297 -- Edit this bug report at http://bugs.php.net/?id=36297&edit=1
#36297 [Opn->Bgs]: Bypass open_basedir on windows
ID: 36297 Updated by: [EMAIL PROTECTED] Reported By: smartgenius1 at yahoo dot com -Status: Open +Status: Bogus Bug Type: Safe Mode/open_basedir Operating System: Windows PHP Version: 5.1.2 New Comment: What Derick said. Previous Comments: [2006-02-05 20:30:45] smartgenius1 at yahoo dot com I said i can reach UPPER LEVEL directories. (../) Any other file system functions wont let me do that. Just chdir(). [2006-02-05 20:29:05] [EMAIL PROTECTED] No bug here. [2006-02-05 20:28:27] [EMAIL PROTECTED] And what if you try to set it to the real path instead of "."? I doubt that PHP is able to distinguish "." when you're in /path/1 from "." when you're in "/another/path". [2006-02-05 20:27:52] [EMAIL PROTECTED] Well "." is the current working directory, so ofcourse you can read it then... [2006-02-05 20:25:39] smartgenius1 at yahoo dot com I have it set to "." The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/36297 -- Edit this bug report at http://bugs.php.net/?id=36297&edit=1
#36297 [Opn->Bgs]: Bypass open_basedir on windows
ID: 36297 Updated by: [EMAIL PROTECTED] Reported By: smartgenius1 at yahoo dot com -Status: Open +Status: Bogus Bug Type: Safe Mode/open_basedir Operating System: Windows PHP Version: 5.1.2 New Comment: Well "." is the current working directory, so ofcourse you can read it then... Previous Comments: [2006-02-05 20:25:39] smartgenius1 at yahoo dot com I have it set to "." [2006-02-05 20:24:48] [EMAIL PROTECTED] What is the value of open_basedir? [2006-02-05 19:13:21] smartgenius1 at yahoo dot com I was also able to unlink() files; and also fwrite() things as well. I had full permissions; as if I was working in ./ and no error ever occured. [2006-02-05 18:42:07] smartgenius1 at yahoo dot com Description: The function chdir() does NOT obey the open_basedir restriction on windows. Chdir() ONLY checks the UID of the directories; and on Windows there are no UIDs. So it is possible to do chdir("../"); and it works on windows; even if the open_basedir restriction is set to "."; which should be blocking it. And to make sure I had open_basedir restriction configured correctly; I tried this: opendir("../"); and sure enough; an error stating that the restriction was on. Reproduce code: --- Expected result: A PHP error stating that the open_basedir restriction was on Actual result: -- It worked. No errors at all; and I was able to open the directory with opendir(getcwd()); after changing the current working directory to the above directory. -- Edit this bug report at http://bugs.php.net/?id=36297&edit=1