Andy 1, PHP 0


So, what happens when there’s a PHP bug that permits any user to circumvent the open_basedir restriction and it affects all php versions?

Firstly, you test:

PHP Exploit Code 

Then, you patch… For php 4.4.2,

Edit ext/zlib/zlib_fopen_wrapper.c, and at approximately line 123, add the code in the comments (/* BEGIN… */ to /* END… */). Surrounding code is included to allow you to locate where to insert the code. Ensure that the code IS in the specified position below.

This will prevent the zlib:// functionality from allowing users to circumvent opeb_basedir restrictions.

It is not a perfect solution, but it seems to work :-)

One Response to “Andy 1, PHP 0”

  1. Pollita Says:

    The problem here was not that zlib was failing to do an open basedir check. That’s actually the job of whatever wrapper corresponds with path.

    Take this example:

    $fp = fopen(‘compress.zlib://http://www.example.com’, ‘r’);

    Here, compress.zlib shouldn’t attempt to check ‘http://www.example.com’ against open basedir restrictions as the setting really has no context outside of the local file system.

    Ordinarily the open_wrapper() call (the line that immediately follows the patched region above) is told to instruct the innerstream’s wrapper to do this check by NOT passing STREAM_DISABLE_OPEN_BASEDIR with the options parameter.

    In the case of the copy() function, this option *was* being passed during the inital open_wrapper call (and thus getting passed right through to the inner open_wrapper).

    Short version: The wrappers did exactly as they were told. They just got bad orders.

Leave a Reply