#36297 [Opn->Bgs]: Bypass open_basedir on windows
ID: 36297
Updated by: [EMAIL PROTECTED]
Reported By: smartgenius1 at yahoo dot com
-Status: Open
+Status: Bogus
Bug Type: Safe Mode/open_basedir
Operating System: Windows
PHP Version: 5.1.2
New Comment:
"The restriction specified with open_basedir is actually a prefix, not
a directory name." (c)
Previous Comments:
[2006-02-05 21:54:25] judas dot iscariote at gmail dot com
smartgenius1: can you RTFM please ?
http://php.net/manual/en/features.safe-mode.php#ini.open-basedir
you **should** use absolute paths ¡¡¡
i.e open_basedir = /path/to/your/data/
[2006-02-05 21:33:27] smartgenius1 at yahoo dot com
Ah well. The least you guys should do is put up a warning on the
chdir() page that Windows does not have UIDs.
[2006-02-05 21:26:04] smartgenius1 at yahoo dot com
This bug is NOT bogus. The support here will just not take the time to
read what I am trying to say.
chdir() should check the open_basedir restriction. It doesnt.
I was able to get into my friends computer, because he believed that
the open_basedir restriction and safe_mode would prevent people from
accessing his files. This function did not follow the open_basedir
restriction and let me get into his system files. Anybody that is
thinking about hosting or letting other people use PHP on their windows
computer... they need to know about this.
This is not a bogus bug. This is a very critical bug; but nobody will
take the time to read through it.
I guess its OK that tons of windows users trust the open_basedir
restriction enough to think that this type of thing cannot happen. Boy
wont they be in a surprise when somebody uses this exploit and erases
their entire computer.
Good day.
~Sean
[2006-02-05 20:45:46] smartgenius1 at yahoo dot com
Sir, you must not be reading it correctly.
I have open_basedir set to "."; which should only allow functions to
access files in the current directory and under.
I am able to change the directory to an above directory with chdir();
that is NOT a file in the cwd or lower.
I can have a script working in
System/Files/script.php
with open_basedir set to "."; I cannot do
include("../anyfile.php");
file("../anyfile.php");
or any other thing that access the above directory...
so why can I do
chdir("../");
include("anyfile.php");
?
The chdir() function should check to make sure that the directory
argument is within the allowed paths of open_basedir; which it doesnt.
Hope this clarifys my concern.
~Sean
[2006-02-05 20:41:55] [EMAIL PROTECTED]
What Derick said.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/36297
--
Edit this bug report at http://bugs.php.net/?id=36297&edit=1
#36297 [Opn->Bgs]: Bypass open_basedir on windows
ID: 36297 Updated by: [EMAIL PROTECTED] Reported By: smartgenius1 at yahoo dot com -Status: Open +Status: Bogus Bug Type: Safe Mode/open_basedir Operating System: Windows PHP Version: 5.1.2 New Comment: What Derick said. Previous Comments: [2006-02-05 20:30:45] smartgenius1 at yahoo dot com I said i can reach UPPER LEVEL directories. (../) Any other file system functions wont let me do that. Just chdir(). [2006-02-05 20:29:05] [EMAIL PROTECTED] No bug here. [2006-02-05 20:28:27] [EMAIL PROTECTED] And what if you try to set it to the real path instead of "."? I doubt that PHP is able to distinguish "." when you're in /path/1 from "." when you're in "/another/path". [2006-02-05 20:27:52] [EMAIL PROTECTED] Well "." is the current working directory, so ofcourse you can read it then... [2006-02-05 20:25:39] smartgenius1 at yahoo dot com I have it set to "." The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/36297 -- Edit this bug report at http://bugs.php.net/?id=36297&edit=1
#36297 [Opn->Bgs]: Bypass open_basedir on windows
ID: 36297
Updated by: [EMAIL PROTECTED]
Reported By: smartgenius1 at yahoo dot com
-Status: Open
+Status: Bogus
Bug Type: Safe Mode/open_basedir
Operating System: Windows
PHP Version: 5.1.2
New Comment:
Well "." is the current working directory, so ofcourse you can read
it then...
Previous Comments:
[2006-02-05 20:25:39] smartgenius1 at yahoo dot com
I have it set to "."
[2006-02-05 20:24:48] [EMAIL PROTECTED]
What is the value of open_basedir?
[2006-02-05 19:13:21] smartgenius1 at yahoo dot com
I was also able to unlink() files; and also fwrite() things as well. I
had full permissions; as if I was working in ./ and no error ever
occured.
[2006-02-05 18:42:07] smartgenius1 at yahoo dot com
Description:
The function chdir() does NOT obey the open_basedir restriction on
windows. Chdir() ONLY checks the UID of the directories; and on Windows
there are no UIDs. So it is possible to do
chdir("../");
and it works on windows; even if the open_basedir restriction is set to
"."; which should be blocking it.
And to make sure I had open_basedir restriction configured correctly; I
tried this:
opendir("../");
and sure enough; an error stating that the restriction was on.
Reproduce code:
---
Expected result:
A PHP error stating that the open_basedir restriction was on
Actual result:
--
It worked. No errors at all; and I was able to open the directory with
opendir(getcwd());
after changing the current working directory to the above directory.
--
Edit this bug report at http://bugs.php.net/?id=36297&edit=1
