Hide Forgot
This issue was reported by debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323585 It seems it is possible to bypass the open_basedir directive, allowing users access to various files they should not have access to.
The PHP "safe mode" and "open_basedir" configuration options are intended to prevent an interpreted script from executing arbitrary system commands or opening arbitrary files on the system. But the PHP interpreter does not offer a "sandboxed" security layer (as found in, say, a JVM) with which to reliably implement these features, so they cannot be relied upon as a security feature. Any bug in PHP (or any extension) which allows a script to corrupt memory or cause the interpreter to crash may allow the script to bypass safe mode or open_basedir. Similarly, any feature of a bundled (or third-party) extension which allows the script to open arbitrary files, or execute arbitrary commands, may allow the script to bypass safe mode or open_basedir. For these reasons, bugs in the "safe mode" and "open_basedir" options, or any bugs in the PHP interpreter or extensions which allow scripts to bypass these options, will not be treated as security-sensitive. See also http://www.php.net/security-note.php for the similar position taken by the PHP project.
*** Bug 172204 has been marked as a duplicate of this bug. ***
This bug will be used as a meta-bug for tracking PHP "safe"-mode/open_basedir issues, which will in general not be fixed in updates for Red Hat Enterprise Linux of the PHP package.
*** Bug 205003 has been marked as a duplicate of this bug. ***
*** Bug 206276 has been marked as a duplicate of this bug. ***
*** Bug 240155 has been marked as a duplicate of this bug. ***
*** Bug 278001 has been marked as a duplicate of this bug. ***
*** Bug 277971 has been marked as a duplicate of this bug. ***
*** Bug 277991 has been marked as a duplicate of this bug. ***
*** Bug 278071 has been marked as a duplicate of this bug. ***
*** Bug 287971 has been marked as a duplicate of this bug. ***
*** Bug 290591 has been marked as a duplicate of this bug. ***
Safe mode feature was removed upstream for the upcoming PHP 6 release: http://www.php.net/manual/en/features.safe-mode.php Warning: Safe Mode was removed in PHP 6.0.0.
*** Bug 452206 has been marked as a duplicate of this bug. ***
*** Bug 452207 has been marked as a duplicate of this bug. ***
*** Bug 436541 has been marked as a duplicate of this bug. ***
*** Bug 476985 has been marked as a duplicate of this bug. ***
*** Bug 476986 has been marked as a duplicate of this bug. ***
*** Bug 459569 has been marked as a duplicate of this bug. ***
*** Bug 539529 has been marked as a duplicate of this bug. ***
Mitre's CVE-2009-3557 entry: --------------------------- The tempnam function in ext/standard/file.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable or world-writable directories, via the dir and prefix arguments. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557 http://www.openwall.com/lists/oss-security/2009/11/20/2 http://www.openwall.com/lists/oss-security/2009/11/20/3 http://www.openwall.com/lists/oss-security/2009/11/20/5 http://news.php.net/php.announce/79 http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/file.c?view=log http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/file.c?view=log http://svn.php.net/viewvc?view=revision&revision=288945 http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_3_1.php http://secunia.com/advisories/37412 http://securityreason.com/securityalert/6601 Mitre's CVE-2009-3558 entry: ---------------------------- The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and earlier, and 5.3.x before 5.3.1, allows context-dependent attackers to bypass open_basedir restrictions, and create FIFO files, via the pathname and mode arguments, as demonstrated by creating a .htaccess file. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558 http://www.openwall.com/lists/oss-security/2009/11/20/2 http://www.openwall.com/lists/oss-security/2009/11/20/3 http://www.openwall.com/lists/oss-security/2009/11/20/5 http://news.php.net/php.announce/79 http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/posix/posix.c?view=log http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/posix/posix.c?view=log http://svn.php.net/viewvc?view=revision&revision=288943 http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_3_1.php http://secunia.com/advisories/37412 http://securityreason.com/securityalert/6600
*** Bug 541239 has been marked as a duplicate of this bug. ***
*** Bug 548532 has been marked as a duplicate of this bug. ***
*** Bug 577578 has been marked as a duplicate of this bug. ***
*** Bug 617578 has been marked as a duplicate of this bug. ***
*** Bug 601897 has been marked as a duplicate of this bug. ***
*** Bug 598562 has been marked as a duplicate of this bug. ***
*** Bug 617211 has been marked as a duplicate of this bug. ***
*** Bug 618359 has been marked as a duplicate of this bug. ***
*** Bug 618366 has been marked as a duplicate of this bug. ***
*** Bug 618579 has been marked as a duplicate of this bug. ***
*** Bug 617180 has been marked as a duplicate of this bug. ***
*** Bug 618785 has been marked as a duplicate of this bug. ***
*** Bug 601901 has been marked as a duplicate of this bug. ***
*** Bug 619324 has been marked as a duplicate of this bug. ***
*** Bug 651204 has been marked as a duplicate of this bug. ***
*** Bug 656917 has been marked as a duplicate of this bug. ***
*** Bug 662707 has been marked as a duplicate of this bug. ***
*** Bug 670792 has been marked as a duplicate of this bug. ***
*** Bug 683183 has been marked as a duplicate of this bug. ***
*** Bug 718253 has been marked as a duplicate of this bug. ***
*** Bug 802591 has been marked as a duplicate of this bug. ***
*** Bug 783609 has been marked as a duplicate of this bug. ***
*** Bug 841972 has been marked as a duplicate of this bug. ***
Created attachment 599581 [details] CVE-2012-3365-test.patch Use this patch for fix this issue, I have used this patch file on my PHP 5.2.17 and got this from http://git.php.net/?p=php-src.git;a=commit;h=055ecbc62878e86287d742c7246c21606cee8183
*** Bug 918196 has been marked as a duplicate of this bug. ***
(In reply to Tomas Hoger from comment #13) > Safe mode feature was removed upstream for the upcoming PHP 6 release: > > http://www.php.net/manual/en/features.safe-mode.php > > Warning: Safe Mode was removed in PHP 6.0.0. Upstream versioning plans apparently changed since the comment 13 was made. Safe mode was deprecated in 5.3.0 and removed in 5.4.0.