A brief analysis of security hidden dangers in PHP open_basedir _php tutorial

Source: Internet
Author: User
In PHP Open_basedir is a use of PHP is not much of a function, but open_basedir function accidentally give someone to enter your server, open_basedir in the end there is more magic we come to see it.

Let's take a look. We don't consider Open_basedir security issue code

Wrote a sentence in PHP require_once '. /zend/loader.php '; Error:
Warning:require_once () [function.require-once]: Open_basedir restriction in effect. File (.. /zend/loader.php) is not within the allowed path (s): (d:/phpnow/vhosts/zf.com; c:/windows/temp;) in d:/phpnow/vhosts/zf.com/index.php on line 6

Warning:require_once (.. /zend/loader.php) [Function.require-once]: failed to open stream:operation not permitted in d:/phpnow/vhosts/zf.com/ index.php on line 6

Fatal error:require_once () [function.require]: Failed opening required '. /zend/loader.php ' (include_path= ' d:/phpnow/vhosts/zf.comzend;.; C:/php5/pear ') in d:/phpnow/vhosts/zf.com/index.php-line 6 literal analysis is limited by open_basedir, causing operation not Permitted (Operation not allowed).

Open php.ini jump to Open_basedir related settings paragraph:

; Open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes more sense if used in a per-directory
; or per-virtualhost Web server configuration file. This directive is
; *not* affected by whether Safe Mode was turned on or Off.

Open_basedir = If Open_basedir is set, all files that can be manipulated can only be restricted to the directory specified by Open_basedir. This command is quite useful in a virtual host. This instruction is unaffected regardless of whether the security mode is turned on or not. It seems php.ini did not set Open_basedir. Open Apache Virtual Host configuration file:

copy code

options-indexes followsymlinks

ServerAdmin admin@z F.com
DocumentRoot ". /vhosts/zf.com "
ServerName zf.com:80
Serveralias *.zf.com
errorlog logs/zf.com-error_log
Php_admin_value Open_basedir "d:/phpnow/vhosts/zf.com; c:/windows/temp; "

The Php_admin_value open_basedir inside limits the operating directory. I am here for local testing, security factors do not consider, directly will php_admin_value Open_basedir "d:/phpnow/vhosts/zf.com; c:/windows/temp; "Remove, restart Apache,

Above if you can delete the server files, but fortunately the current PHP site security configuration is basically Open_basedir+safemode, is very invincible, very secure, even if the permissions are not well set up in the environment, so configuration is quite safe, of course, Some situations that can be bypassed are not considered. This article discusses the potential security implications of two-point open open_basedir (real-world encounters), a small bug that might be part of PHP, and another one that may have been improperly configured.

The existence of a directory is not strictly considered when processing file paths in Open_basedir, which results in a bypass of local or local file reads.

See an example of any local file read:

copy code
!--? php
$file = $_get[' file '];
Preg_match ("/^img/", $file) or Die (' error_file ');
$file = '/home/www/upload/'. $file;
File_exists ($file) or Die (' no_such_file ');
$f = fopen ("$file", ' R ');
$jpeg = fread ($f, FileSize ("$file"));
Fclose ($f);
Header ("Content-type:image/jpeg");
Header ("Content-disposition:inline; Filename=test.jpg ");
Echo $jpeg;

Although file is arbitrarily committed, but restricts the prefix must be IMG, if we want to jump out of the directory to read the file, for example, read the site root directory config.php, we have to submit? file=img/. /.. /config.php, but there is a restriction here, that is, the upload directory does not exist in the IMG folder, in the Windows file system, the system will not consider the directory exists, will jump directly to the directory to cause a vulnerability, but the Linux file system is very rigorous, it will carefully determine the existence of each layer of directory, such as this Because there is no IMG, then jump out of the file to read the error when directly. Look at one of the following:

Let's look at a similar example of a local inclusion:

The code is as follows Copy Code
Include "AAA". $_get[' Lang '. ". PHP ";

Due to the limitations of the Linux file system, we cannot use the side-note to include files under TMP.

Linux rigorous considerations in PHP there is obviously no deep experience. When Open_basedir is turned on, PHP takes the actual path of the incoming file path and compares it to the path set in the Open_basedir:

The code is as follows Copy Code

/* Normalize and expand path */
if (Expand_filepath (path, resolved_name tsrmls_cc) = = NULL) {

Path_len = strlen (resolved_name);
memcpy (Path_tmp, Resolved_name, Path_len + 1); /* Safe */

But PHP in the process of ignoring the check path exists, so when the Open_basedir opened, the above file read example, we can use? file=img/. /.. /config.php to read directly, at this time the submitted path has been processed into/home/www/config.php, so there is no reading problem.

The problem by the penetration test when encountered by bypassing the situation to lead to doubt, after the analysis of environmental differences, and then xi4oyu cattle steering there may be open_basedir problems after the test concluded that this is a small PHP bug, but it is likely to lead to security risks.

Second, the value of Open_basedir improper configuration, it is possible to cause directory spanning.

Many administrators are aware of setting up open_basedir, but there may be problems with directory spanning when improperly configured.

Wrong configuration:/tmp:/home/www, correct configuration:/tmp/:/home/www/

code as follows copy code

/* Resolve open_basedir to Resolved_basedir */
if (Expand_filepath (Local_open_basedir, Resolved_basedir TSRMLS_ CC) = NULL) {
/* Handler for Basedirs this end with a/*/
Resolved_basedir_len = strlen (resolved_basedir);
if (Basedir[strlen (Basedir)-1] = = Php_dir_separator) {
if (resolved_basedir[resolved_basedir_len-1]! = Php_dir_sep Arator) {
Resolved_basedir[resolved_basedir_len] = php_dir_separator;
Resolved_basedir[++resolved_basedir_len] = '/0 ';
} else {
resolved_basedir[resolved_basedir_len++] = php_dir_separator;
Resolved_basedir[resolved_basedir_len] = '/0 ';

PHP takes the/end path into account, but if not/, directly into the following comparison.

As a result, when you create a new Web site for/home/wwwoldjun/(which has been set Open_basedir separately), you can jump from the/home/www/directory to the/home/wwwoldjun/directory if the configuration is incorrect.

As an example of infiltration, an IDC trader allocates space/home/wwwroot/userxxx/,/home/wwwroot/useryyy/... while renting a virtual host, and Open_basedir is so misconfigured:/tmp:/home/ Wwwroot/userxxx,/tmp:/home/wwwroot/useryyy. What should we do if we want to infiltrate the Userxxx site easily through misconfiguration?

Special values. Indicates that the working directory of the script will be used as the base directory. But this is a bit risky because the working directory of the script can easily be changed by ChDir ().

In the httpd.conf file, Open_basedir can be turned off, like any other configuration option, with "Php_admin_value open_basedir none" (for example, in some virtual hosts).

In Windows, separate the directories with semicolons. Separate the directories with colons in any other system. As an Apache module, the Open_basedir path in the parent directory is automatically inherited.

The limit specified with Open_basedir is actually a prefix, not a directory name. This means "Open_basedir =/dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. If you want to restrict access to only the specified directory, end the path name with a slash. For example: "Open_basedir =/dir/incl/".

http://www.bkjia.com/PHPjc/632831.html www.bkjia.com true http://www.bkjia.com/PHPjc/632831.html techarticle in PHP Open_basedir is a use of PHP is not much of a function, but open_basedir function accidentally give someone to enter your server, open_basedir in the end there are many magic we come to see it ...

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.