Hole in PHP's open_basedir restrictions
Stefan Esser from the Hardened PHP project is warning that the symlink() function represents a potential hole, through which PHP code can evade open_basedir restrictions and hence gain access to forbidden files.
PHP's open_basedir function lets administrators restrict access from PHP scripts to preset directories. Shared web hosting providers, for example, use this to forbid data access to other users' directories or system files. When a file is opened, PHP inspects the action to check permissible access.
It turns out that there is a certain span of time, between the test and the actual file operation, during which a second script can modify the target. Using a crafty construction, with symbolic links and a PHP script that switches a link back and forth between a permissible and a forbidden file, Esser was able to create what is known as a race condition. Even if most of the access attempts fail, at some point a situation emerges that allows the test to succeed, providing access to the supposedly forbidden file. According to Esser, this kind of tactic can only be prevented by turning off the symlink() PHP function when using open_basedir.
- PHP open_basedir Race Condition Vulnerability by Stefan Esser