Tuesday, February 16, 2010


SkyHi @ Tuesday, February 16, 2010

From time to time I get the question why I recommend enabling open_basedir and on the other hand call it a solution flawed by design. This is actually a good question, because the untrained PHP user might get a little bit confused about this and might believe that I change my opinion on a daily basis.

When looking at open_basedir one has to realise that it was designed to stop PHP scripts from accessing files outside the open_basedir restrictions. I have demonstrated in the past, that this is not safe and cannot be safe, because the design is unfixable flawed, due to 3rd party libraries accessing the files themself. Demonstrated here.

On the other hand one has to look at the greater picture. Security vulnerabilities will always exist and therefore the server setup has to be hardened against attacks. Suhosin merely exists because of the reality that there will always be vulnerable code. This is something many people misunderstand. They believe it is possible to fix all security holes by teaching people. This is however unrealisitc. Even the most skilled programmer can write insecure code.

Looking at it from this point of view it becomes obvious that every bit of additional protection is good. Suhosin and maybe one day PHP itself can protect you from all remote includes, but local includes are often also possible and in many situations they can be used to include code injected onto the server by some other means. Log files but also session storage files are a good example for that. On some systems the temporary filenames are also weak and therefore on those it is directly possible to include the temporary files uploaded with a POST upload, unless Suhosin is installed.

In this context open_basedir is a very powerful showstopper for include attacks. For a remote attacker it is not possible to break out of the open_basedir restrictions if he is only able to inject the name of a file to be included. Therefore the number of files he will be able to include with such a local file include vulnerability is limited. When the open_basedir is set correctly it should not be possible to include for example logfiles. The attacks becomes a lot less dangerous due to this.

There was only one known hole that allowed bypassing open_basedir/safe_mode from remote that was disclosed by the Hardened-PHP Project in 2004.