Vigil@nce: PHP, bypassing open_basedir
August 2009 by Vigil@nce
An attacker can use the "mail.log" variable in order to bypass the
open_basedir restriction.
Severity: 1/4
Consequences: data reading, data creation/edition, data deletion
Provenance: user account
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 10/08/2009
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
The open_basedir configuration directive indicates directories
where a PHP script can open files.
The "mail.log" variable indicates the file where to log sent
emails.
However, when this variable is changed in the ".htaccess" file, a
PHP script can send an email to bypass open_basedir.
An attacker, allowed to upload a PHP script and to change the
".htaccess" file on the web server, can therefore create a file
outside open_basedir.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-8928
http://vigilance.fr/vulnerability/PHP-bypassing-open-basedir-8928