Analysis of open_basedir security risks in php

In php, open_basedir is a rarely used function in php, but the open_basedir function is accidentally used to access your server. How amazing is open_basedir? Let's take a look.

Let's look at a piece of code that does not consider open_basedir security issues.

In php, the following error is returned:
Warning: require_once () [function. require-once]: open_basedir restriction in effect. file (.. /Zend/Loader. php) is not within the allowed path (s): (D:/phpnow/vhosts/zf.com; C:/Windows/Temp;) in D: /phpnow/vhosts/zf.com/index.php on line 6

Warning: require_once (.. /Zend/Loader. php) [function. require-once]: failed to open stream: Operation not permitted in D:/phpnow/vhosts/zf.com/index.php on line 6

Fatal error: require_once () [function. require]: Failed opening required '.. /Zend/Loader. php '(include_path = 'd:/phpnow/vhosts/zf. comZend ;.; c:/php5/pear ') in D:/phpnow/vhosts/zf.com/index.php on line 6 literal analysis is restricted by open_basedir, resulting in Operation not permitted (the Operation is not allowed ).

Open php. ini and jump to open_basedir Settings section:

; Open_basedir, if set, limits all file operations to the defined directory
; And below. This directive makes most sense if used in a per-directory
; Or per-virtualhost web server configuration file. This directive is
; * NOT * affected by whether Safe Mode is turned On or Off.

; Open_basedir = If open_basedir is set, all files that can be operated must be in the directory specified by open_basedir. This command is quite useful in virtual hosts. This command is not affected regardless of whether the security mode is enabled. It seems that php. ini has not set open_basedir. Open the apache Virtual Host Configuration file:

The Code is as follows:	Copy code
<Virtualhost *> <Directory "../vhosts/zf.com"> Options-Indexes FollowSymLinks </Directory> ServerAdmin admin@zf.com DocumentRoot "../vhosts/zf.com" ServerName zf.com: 80 ServerAlias * .zf.com ErrorLog logs/zf.com-error_log Php_admin_value open_basedir "D:/phpnow/vhosts/zf.com; C:/Windows/Temp ;" </Virtualhost>

The php_admin_value open_basedir limits the operation directory. I am going to test it locally. If you do not consider the security factors, directly Delete php_admin_value open_basedir "D:/phpnow/vhosts/zf.com; C:/Windows/Temp;" and restart apache,

If the above steps are complete, you can delete the server files at will, but fortunately, the security configuration of the php site is basically open_basedir + safemode, which is indeed invincible and secure, even in environments where permissions are not well set, this configuration is quite secure. Of course, some situations that can be bypassed are not considered. This article discusses two possible security risks (encountered in reality) after open_basedir is enabled. One may be a small bug in php, And the other may be caused by improper configuration.

I. The existence of directories is not strictly considered when processing file paths in open_basedir. This will cause local inclusion or bypassing local file reading.

Let's look at an example of arbitrary reading of a local file:

The Code is as follows:	Copy code
<? Php $ File = $ _ GET ['file']; Preg_match ("/^ img/", $ file) or die ('error _ file '); $ File = '/home/www/upload/'. $ file; File_exists ($ file) or die ('no _ such_file '); $ F = fopen ("$ file", 'R '); $ Jpeg = fread ($ f, filesize ("$ file ")); Fclose ($ f ); Header ("Content-type: image/jpeg "); Header ("Content-disposition: inline; filename=test.jpg "); Echo $ jpeg; ?>

Although the file is submitted arbitrarily, the prefix must be img. If we want to read the file out of the directory, for example, to read config. php under the root directory of the website, do we have to submit the file? File = img /.. /.. /config. php, but there is a restriction that the img Folder does not exist in the upload directory. In windows, the system does not consider that the directory does not exist and directly jumps to the directory, resulting in a vulnerability; however, the linux file system is very rigorous. It will carefully judge whether each layer of directory exists. For example, because there is no img, an error is reported when the system jumps out to read the file. See the following example:

Let's look at a similar example of local inclusion:

The Code is as follows:	Copy code
<? Php Include "aaa". $ _ GET ['lang ']. ". php "; ?>

Due to linux File System Restrictions, we cannot use the side note to include files under tmp.

Linux's rigorous consideration is obviously not profound in php. When open_basedir is enabled, php processes the actual path of the input file and compares it with the path set in open_basedir:

The Code is as follows:	Copy code
...... /* Normalize and expand path */ If (expand_filepath (path, resolved_name TSRMLS_CC) = NULL ){ Return-1; } Path_len = strlen (resolved_name ); Memcpy (path_tmp, resolved_name, path_len + 1);/* safe */ ......

However, php ignores whether the check path exists during processing. So when open_basedir is enabled, can we use the example of reading the above file? File = img /.. /.. /config. php to directly read, the submitted path has been processed as/home/www/config. php, so there is no read problem.

The problem is caused by a bypass during the penetration test, and the Environment difference is analyzed, then xi4oyu pointed out that the problem may be caused by open_basedir, and the test concluded that this is a small bug in php, but it may cause security risks.

Ii. Improper configuration of open_basedir values may lead to directory overlay.

Many administrators know how to set open_basedir, but directory overlay may occur during improper configuration.

Incorrect configuration:/tmp:/home/www. Correct configuration:/tmp/:/home/www/

The Code is as follows:

Copy code

...... /* Resolve open_basedir to resolved_basedir */ If (expand_filepath (local_open_basedir, resolved_basedir TSRMLS_CC )! = NULL ){ /* Handler for basedirs that end with /*/ Resolved_basedir_len = strlen (resolved_basedir ); If (basedir [strlen (basedir)-1] = PHP_DIR_SEPARATOR ){ If (resolved_basedir [resolved_basedir_len-1]! = PHP_DIR_SEPARATOR ){ Resolved_basedir [resolved_basedir_len] = PHP_DIR_SEPARATOR; Resolved_basedir [++ resolved_basedir_len] = '/0 '; } } Else { Resolved_basedir [resolved_basedir_len ++] = PHP_DIR_SEPARATOR; Resolved_basedir [resolved_basedir_len] = '/0 '; } ......

Php considers the path ending with a slash (/), but if there is no slash (/), it will be compared directly below.

Therefore, when a new website is/home/wwwoldjun/(open_basedir has been set separately), if the configuration is incorrect, you can jump to the/home/wwwoldjun/directory from the/home/www/directory.

For example, when a penetration instance is renting a VM, an idc provider allocates space for/home/wwwroot/userxxx/,/home/wwwroot/useryyy /..., open_basedir is incorrectly configured as follows:/tmp:/home/wwwroot/userxxx,/tmp:/home/wwwroot/useryyy. What should we do if we want to easily penetrate the userxxx site through configuration errors?

Special value. indicates that the script's working directory will be used as the reference directory. But this is dangerous because the working directory of the script can be easily changed by chdir.

In the httpd. conf file, open_basedir can be disabled using the "php_admin_value open_basedir none" method like any other configuration options (for example, in some virtual hosts ).

In Windows, separate directories with semicolons. Use colons to separate directories in any other system. As an Apache module, the open_basedir path in the parent directory is automatically inherited.

The restriction specified by open_basedir is actually a prefix, not a directory name. That is to say, "open_basedir =/dir/incl" will also allow access to "/dir/include" and "/dir/incls" if they exist. If you want to restrict access to a specified directory only, end the path with a slash. For example, "open_basedir =/dir/incl /".