Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3333

"open_basedir" should limit file access

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Hide
      * Set "open_basedir".
      * Limit "open_basedir" to a narrower path than "xxx".
      Show
      * Set "open_basedir". * Limit "open_basedir" to a narrower path than "xxx".
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Covered Languages:
      PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • CWE:
      CWE-23, CWE-36
    • OWASP:
      A6

      Description

      The open_basedir configuration in php.ini limits the files the script can access using, for example, include and fopen(). Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access files outside the allowed path.

      open_basedir should be configured with a directory, which will then be accessible recursively. However, the use of . (current directory) as an open_basedir value should be avoided since it's resolved dynamically during script execution, so a chdir('/') command could lay the whole server open to the script.

      This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence step. This rule raises an issue when open_basedir is not present in php.ini, and when open_basedir contains root, or the current directory (.) symbol.

      Noncompliant Code Example

      ; php.ini try 1
      ; open_basedir="${USER}/scripts/data"  Noncompliant; commented out
      
      ; php.ini try 2
      open_basedir="/:${USER}/scripts/data"  ; Noncompliant; root directory in the list
      

      Compliant Solution

      ; php.ini try 1
      open_basedir="${USER}/scripts/data"
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: