Potential security risks after open_basedir

Oldjun

Currently, the security configuration of the php site is basically open_basedir + safemode, which is indeed invincible and safe. Even if the permission is not set properly, this configuration is quite safe. Of course, ignore certain situations that can be bypassed. This article discusses two possible security risks (encountered in reality) after open_basedir is enabled. One may be a small bug in php, And the other may be caused by improper configuration.

I. The existence of directories is not strictly considered when processing file paths in open_basedir. This will cause local inclusion or bypassing local file reading.

Let's look at an example of arbitrary reading of a local file:

<?php
$file = $_GET[file];
preg_match("/^img/", $file) or die(error_file);
$file=/home/www/upload/.$file;
file_exists($file) or die(no_such_file);
$f = fopen("$file", r);
$jpeg = fread($f, filesize("$file"));
fclose($f);
Header("Content-type: image/jpeg");
Header("Content-disposition: inline; filename=test.jpg");
echo $jpeg;
?>

Although the file is submitted arbitrarily, the prefix must be img. If we want to read the file out of the directory, for example, to read config. php under the root directory of the website, do we have to submit the file? File = img /.. /.. /config. php, but there is a restriction that the img Folder does not exist in the upload directory. In windows, the system does not consider that the directory does not exist and directly jumps to the directory, resulting in a vulnerability; however, the linux file system is very rigorous. It will carefully judge whether each layer of directory exists. For example, because there is no img, an error is reported when the system jumps out to read the file. See the following example:

Let's look at a similar example of local inclusion:

<?php 
include "aaa".$_GET[lang].".php";
?>

Due to linux File System Restrictions, we cannot use the side note to include files under tmp.

Linux's rigorous consideration is obviously not profound in php. When open_basedir is enabled, php processes the actual path of the input file and compares it with the path set in open_basedir:

......
/* Normalize and expand path */
If (expand_filepath (path, resolved_name TSRMLS_CC) = NULL ){
Return-1;
}

Path_len = strlen (resolved_name );
Memcpy (path_tmp, resolved_name, path_len + 1);/* safe */
......

(See fopen_wrappers.c)

However, php ignores whether the check path exists during processing. So when open_basedir is enabled, can we use the example of reading the above file? File = img /.. /.. /config. php to directly read, the submitted path has been processed as/home/www/config. php, so there is no read problem.

The problem is caused by a bypass during the penetration test, and the Environment difference is analyzed, then xi4oyu pointed out that the problem may be caused by open_basedir, and the test concluded that this is a small bug in php, but it may cause security risks.

Ii. Improper configuration of open_basedir values may lead to directory overlay.

Many administrators know how to set open_basedir, but directory overlay may occur during improper configuration.

Incorrect configuration:/tmp:/home/www. Correct configuration:/tmp/:/home/www/

......
/* Resolve open_basedir to resolved_basedir */
If (expand_filepath (local_open_basedir, resolved_basedir TSRMLS_CC )! = NULL ){
/* Handler for basedirs that end with /*/
Resolved_basedir_len = strlen (resolved_basedir );
If (basedir [strlen (basedir)-1] = PHP_DIR_SEPARATOR ){
If (resolved_basedir [resolved_basedir_len-1]! = PHP_DIR_SEPARATOR ){
Resolved_basedir [resolved_basedir_len] = PHP_DIR_SEPARATOR;
Resolved_basedir [++ resolved_basedir_len] =;
}
} Else {
Resolved_basedir [resolved_basedir_len ++] = PHP_DIR_SEPARATOR;
Resolved_basedir [resolved_basedir_len] =;
}
......

(See fopen_wrappers.c)

Php considers the path ending with a slash (/), but if there is no slash (/), it will be compared directly below.

Therefore, when a new website is/home/wwwoldjun/(open_basedir has been set separately), if the configuration is incorrect, you can jump to the/home/wwwoldjun/directory from the/home/www/directory.

Local test:

For example, when a penetration instance is renting a VM, an idc provider allocates space for/home/wwwroot/userxxx/,/home/wwwroot/useryyy /..., open_basedir is incorrectly configured as follows:/tmp:/home/wwwroot/userxxx,/tmp:/home/wwwroot/useryyy. What should we do if we want to easily penetrate the userxxx site through configuration errors?