News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Hardened-PHP Project:
Advisory - PHP open_basedir Race Condition Vulnerability
October 04, 2006 @ 09:10:00

The Hardened-PHP Project has released another vulnerability today, this time it's an issue with one of PHP's own internal functions - open_basedir.

The design of the open_basedir feature of PHP that is meant to disallow access to files outside a set of configured directories is vulnerable to race conditions.

It was discovered that this design flaw can be exploited with the usage of PHP's symlink() function in a very easy way. We believe that the only solution to this problem is disabling the function symlink() while open_basedir is used (this feature was therefore added to our Suhosin PHP Security Extension).

They also note, unfortunately, that the problem may not be fixable due to how it can be implemented. They provide a more detailed explaination and some PHP psuedo-code to help illustrate the point.

0 comments voice your opinion now!
openbasedir vulnerability race condition openbasedir vulnerability race condition


blog comments powered by Disqus

Similar Posts

Hardened-PHP Project: PHP HTML Entity Encoder Heap Overflow Vulnerability

Stefan Esser's Blog: Watching the PHP CVS

Pierre-Alain Joye's Blog: Zip 1.8.7, safemode and open_basedir fixes

Advisory: Gentoo Linux PHP Package Upgrade

Greg Beaver's Blog: Quick review of Pixy vulnerability scanner for PEAR users


Community Events

Don't see your event here?
Let us know!


framework opinion laravel5 list version introduction series community release podcast library voicesoftheelephpant laravel security php7 interview example api extension language

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework