Analysis on the security hidden Trouble in PHP open_basedir

Let's take a look at the Open_basedir security code.

Wrote a sentence require_once in PHP '. /zend/loader.php '; Error:
Warning:require_once () [function.require-once]: Open_basedir restriction in effect. File (.. /zend/loader.php is not within the allowed path (s): (d:/phpnow/vhosts/zf.com; C:/windows/temp.) in d:/phpnow/vhosts/zf.com/index.php to line 6

Warning:require_once (.. /zend/loader.php) [Function.require-once]: failed to open stream:operation not permitted in d:/phpnow/vhosts/zf.com/ index.php on line 6

Fatal error:require_once () [function.require]: Failed opening required '. /zend/loader.php ' (include_path= ' d:/phpnow/vhosts/zf.comzend;;; C:/php5/pear ') in d:/phpnow/vhosts/zf.com/index.php on line 6 literal analysis is limited by the Open_basedir, causing operation not Permitted (Operation not allowed).

Open php.ini jump to Open_basedir related settings paragraph:

; Open_basedir, if set, limits all file operations to the defined directory
;  and below. This is directive makes most sense if used in a per-directory
; or per-virtualhost Web server configuration file. This directive is
; *not* affected by whether Safe Mode was turned on or off.

Open_basedir = If the Open_basedir is set, then all files that can be manipulated can only be restricted to the Open_basedir specified directory. This instruction in the virtual host is quite useful. This directive is unaffected regardless of whether safe mode is turned on. It appears that PHP.ini did not set Open_basedir. To open the Apache virtual host configuration file:

code is as follows	copy code
< VirtualHost *>     <directory ". /vhosts/zf.com "         options-indexes followsymlinks      </DIRECTORY>     ServerAdmin admin@zf.com     documentroot. /vhosts/zf.com "     ServerName zf.com:80     serveralias *.zf.com      ErrorLog logs/zf.com-error_log     php_admin_value open_basedir "d:/phpnow/vhosts/ zf.com; c:/windows/temp; " </virtualhost>

Inside the Php_admin_value Open_basedir defines the operation directory. I am here for local testing, security factors not considered, directly will php_admin_value Open_basedir "d:/phpnow/vhosts/zf.com;" c:/windows/temp; "Delete, restart Apache,

If the above can be used to remove the server file, but fortunately the current PHP site security configuration is basically open_basedir+safemode, it is very invincible, very safe, even in the context of the right does not have a good setting, such configuration is quite safe, of course, Do not consider some of the things that can be bypassed. This article discusses the security risks that may result from the two-point opening of the Open_basedir (reality), a small bug that may belong to PHP, and the other may be due to improper configuration.

The existence of a directory is not strictly considered in the processing of file paths in Open_basedir, which results in a bypass of local or local file reads.

Look at an example of any local file read:

code is as follows	copy code
<?php $ File = $_get[' file ']; Preg_match ("/^img/", $file) or Die (' error_file '); $file = '/home/www/upload/'. $file; File_exists ($file) or Die (' no_such_file '); $f = fopen ("$file", ' R '); $jpeg = fread ($f, FileSize ("$file")); Fclose ($f); Header ("Content-type:image/jpeg"); Header ("Content-disposition:inline; Filename=test.jpg "); Echo $jpeg; ?>

Although file is arbitrarily submitted, but the prefix must be restricted to IMG, if we want to jump out of the directory to read the file, for example, read the site root directory config.php, we have to submit? file=img/. /.. /config.php, but there is a restriction, that is, the upload directory does not exist in the IMG folder, in the Windows file system, the system will not consider the existence of the directory does not exist, will directly jump directory to cause vulnerabilities; Because there is no IMG, then jump out to read the file when the direct error. Look at the following schematic:

Let's look at a similar local-included example:

The code is as follows	Copy Code
<?php Include "AAA". $_get[' Lang '. PHP "; ?>

Because of the limitations of the Linux file system, we cannot use the side note to contain the files under TMP.

Linux rigorous consideration in PHP is clearly not a profound experience. When Open_basedir is turned on, PHP takes a true path to the incoming file path and compares it to the path set in Open_basedir:

The code is as follows	Copy Code
...... /* Normalize and expand path * * if (Expand_filepath (path, resolved_name tsrmls_cc) = = NULL) { return-1; } Path_len = strlen (resolved_name); memcpy (Path_tmp, Resolved_name, Path_len + 1); * Safe * * ......

But when the PHP processing ignores the existence of the check path, so when the Open_basedir is opened, the above file reads the example, we can use the file=img/... /.. /config.php to read directly, at this time the submitted path has been processed into/home/www/config.php, so there is no reading problem.

Problems by penetration testing when encountered bypass the situation and lead to doubt, after analysis of environmental differences, and then Xi4oyu cattle pointing may be open_basedir problem after the test summed up this is a small PHP bug, but it is likely to lead to security risks.

Second, the Open_basedir value is improperly configured, which may lead to directory leapfrogging.

Many administrators are aware of setting open_basedir, but there may be a problem with directory leapfrogging when improperly configured.

Bad configuration:/tmp:/home/www, correct configuration:/tmp/:/home/www/

code is as follows

copy code

... /* Resolve open_basedir to Resolved_basedir */ if (Expand_filepath (Local_open_basedir, Resolved_basedir TSRMLS_ CC)!= NULL) { /* Handler for Basedirs this end with a/*/ Resolved_basedir_len = strlen (resolved_basedir); I F (Basedir[strlen (Basedir)-1] = = Php_dir_separator) { if (resolved_basedir[resolved_basedir_len-1)!= Php_dir_sepa Rator) { Resolved_basedir[resolved_basedir_len] = php_dir_separator; Resolved_basedir[++resolved_basedir_ Len] = '/0 '; } Else { resolved_basedir[resolved_basedir_len++] = php_dir_separator Resolved_basedir[resolved_ Basedir_len] = '/0 '; } ...

PHP takes the/end path into account, but if not/, it is compared directly to the following.

As a result, when a new Web site is/home/wwwoldjun/(both have been set up separately open_basedir), you can jump from the/home/www/directory to the/home/wwwoldjun/directory if the configuration is incorrect.

To give an example of penetration, a IDC in the rental of virtual host when the space/home/wwwroot/userxxx/,/home/wwwroot/useryyy/..., and Open_basedir is so misconfigured:/tmp:/home/ Wwwroot/userxxx,/tmp:/home/wwwroot/useryyy. What should we do if we want to easily infiltrate the userxxx site with the wrong configuration?

Special values. Indicates that the working directory of the script will be used as the base directory. But this is a bit risky because the script's working directory can easily be changed by ChDir ().

In the httpd.conf file, Open_basedir can be shut down with "Php_admin_value open_basedir none", like any other configuration option (for example, in some virtual hosts).

In Windows, separate the directories with semicolons. Separate the directories with colons in any other system. As an Apache module, the Open_basedir path in the parent directory is automatically inherited.

The limit specified with Open_basedir is actually a prefix, not a directory name. That is to say, "Open_basedir =/dir/incl" will also allow access to "/dir/include" and "/dir/incls" if they exist. If you want to restrict access to only the specified directory, end the path name with a slash. For example: "Open_basedir =/dir/incl/".