ID: 38799
Updated by: [EMAIL PROTECTED]
Reported By: chrysalis at chrysalisnet dot org
-Status: Open
+Status: Feedback
Bug Type: PHP options/info functions
Operating System: freebsd 6.x and 5.x
PHP Version: 4.4.4
New Comment:
Yes, only php.ini, no php_admin_* directives.
Previous Comments:
------------------------------------------------------------------------
[2006-09-13 20:16:43] chrysalis at chrysalisnet dot org
ok this is now working I apologise as I remember doing this before and
there was still a problem, I will leave the modules disabled until you
are ready or for an hour or so.
------------------------------------------------------------------------
[2006-09-13 20:14:40] chrysalis at chrysalisnet dot org
ok the modules are now disabled, its already set in php.ini I believed
this is just for the master value?
Or do you want it completely removed from the vhost container so there
is only a master value?
------------------------------------------------------------------------
[2006-09-13 20:08:37] [EMAIL PROTECTED]
And please disable (temporarily) eAccelerator and all other modules
which affect PHP functionality.
------------------------------------------------------------------------
[2006-09-13 20:07:28] [EMAIL PROTECTED]
What if you set it in php.ini instead of httpd.conf?
------------------------------------------------------------------------
[2006-09-13 19:58:08] chrysalis at chrysalisnet dot org
ok here is info your requested
include("/etc/passwd"); is the exact line I used in the php file, this
generates the following in the apache error_log for the vhost.
[Wed Sep 13 20:51:48 2006] [error] PHP Warning: main() [<a
href='function.main'>function.main</a>]: open_basedir restriction in
effect. File(/etc/passwd) is not within the allowed path(s):
(/home/chrysalis/:/tmp/:/var/www/:/var/uebimiau:/usr/local/lib/php/:/etc/virtual/:/usr/uebimiau)
in /home/chrysalis/domains/chrysalisnet.org/public_html/exploit.php on
line 17
[Wed Sep 13 20:51:48 2006] [error] PHP Warning: main(/etc/passwd) [<a
href='function.main'>function.main</a>]: failed to open stream:
Operation not permitted in
/home/chrysalis/domains/chrysalisnet.org/public_html/exploit.php on
line 17
this indicates to me open_basedir is in effect as its generating the
correct log entry but then the /etc/passwd is displayed in the browser
window.
in phpinfo I get the following data for open_basedir local value.
open_basedir
/home/chrysalis/:/tmp/:/var/www/:/var/uebimiau:/usr/local/lib/php/:/etc/virtual/:/usr/uebimiau
master value is the same with 1 extra dir /etc/awstats
url temporarily up for your conveniance
http://www.chrysalisnet.org/phpinfo.php
the master value is set in php.ini the local value is set in a vhost
container in httpd.conf using "php_admin_value open_basedir"
I checked the exact same script on php 5.1.5 which has the same php
settings other then php 5 specific settings and works as it should, I
am about to try with php 4.4.3 to see if that has the same behaviour.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/38799
--
Edit this bug report at http://bugs.php.net/?id=38799&edit=1
