Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Race Condition Lets Users Bypass open_basedir Restrictions
SecurityTracker Alert ID:  1016977
SecurityTracker URL:
CVE Reference:   CVE-2006-5178   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Oct 4 2006
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 4.x, 5.x
Description:   A vulnerability was reported in PHP. A user can bypass open_basedir access controls.

The open_basedir feature contains a design flaw. A user can invoke the PHP symlink() function in a certain manner to exploit a race condition and change the path of a target file between the time the open_basedir function checks the access control settings for the requested file and the time the function makes an open() call to the requested file.

A special sequence of mkdir(), unlink(), and symlink() calls is required.

The vendor was notified on October 2, 2006.

Stefan Esser of the Hardened-PHP Project reported this vulnerability.

The original advisory is available at:

Impact:   A user may be able to gain access to files outside a set of configured directories.
Solution:   No solution was available at the time of this entry.

The report indicates that, as a workaround, you can disable the symlink() function if you are using the open_basedir by adding symlink to the list of disabled functions within the 'php.ini' configuration file:


Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Advisory 08/2006: PHP open_basedir Race Condition

Hash: SHA1

                        Hardened-PHP Project

                      -= Security  Advisory =-

     Advisory: PHP open_basedir Race Condition Vulnerability
 Release Date: 2006/10/04
Last Modified: 2006/10/04
       Author: Stefan Esser []

  Application: PHP 4/5
 Not affected: PHP with Suhosin Extension 0.9.6
     Severity: A design flaw of open_basedir allows bypassing it
               with the symlink() function
         Risk: Critical


   Quote from
   "PHP  is a widely-used general-purpose scripting language that 
    is especially suited for Web development and can be embedded 
    into HTML."

   The design of the open_basedir feature of PHP that is meant to 
   disallow access to files outside a set of configured directories
   is vulnerable to race conditions.
   It was discovered that this design flaw can be exploited with
   the usage of PHP's symlink() function in a very easy way.
   We believe that the only solution to this problem is disabling
   the function symlink() while open_basedir is used (this feature 
   was therefore added to our Suhosin PHP Security Extension).
   Fixing the flaw in the open_basedir design seems infeasible
   because there is no way to fix the potential race condition
   when accessing the file is done within an external library.
   The successful exploitation of this vulnerability allows access
   to files normally not accessible due to the open_basedir


   PHP's open_basedir feature is meant to disallow scripts to access
   files outside a set of configured base directories. The checks
   for this are placed within PHP functions dealing with files before
   the actual open call is performed.
   Obviously there is a little span of time between the check and the 
   actual open call. During this time span the checked path could
   have been altered and point to a file that is forbidden to be
   accessed due to open_basedir restrictions.
   Because the open_basedir restrictions often not call PHP functions
   but 3rd party library functions to actually open the file it is
   impossible to close this time span in a general way. It would only
   be possible to close it when PHP handles the actual opening on it's

   While it seems hard to change the path during this little time span
   it is very simple with the use of the symlink() function combined
   with a little trick. PHP's symlink() function ensures that source
   and target of the symlink operation are allowed by open_basedir
   restrictions (and safe_mode). However it is possible to point a
   symlink to any file by the use of mkdir(), unlink() and at least 
   two symlinks.
   Example (pseudo PHP code):
   symlink("a/a/a/a/a/a", "dummy");
   symlink("dummy/../../../../../../", "xxx");
   symlink(".", "dummy");
   After this code sequence "xxx" points to 6 directories up. Having
   achieved this it is possible for an attacker to exploit the race
   condition by creating 2 PHP scripts.
   The first script alternates a symbolic link between a file that
   is allowed and the one that is forbidden by open_basedir and the
   second script simply puts loops around operations trying to 
   operate on the symbolic link.
   The result is that sometimes in the loop the race is lost and the
   operation is performed on the allowed file, sometimes it just 
   produces errors, because the symlink was deleted and sometimes it
   triggers the open_basedir error-message. However sooner or later
   the race will be won and the operation is performed on the file
   that is actually forbidden due to open_basedir restrictions.

Proof of Concept:

   The Hardened-PHP Project is not going to release exploits for
   this vulnerability to the public.

Disclosure Timeline:

   02. October 2006 - Notified
   04. October 2006 - Public Disclosure


   Because the design flaw cannot be solved it is strongly recommended
   to disable the symlink() function if you are using the open_basedir 
   feature. You can achieve that by adding symlink to the list of 
   disabled functions within your php.ini
   Additionally you should start thinking about not relying on PHP's
   open_basedir and safe_mode restrictions but on actual operating
   system features like chroots and jails, because open_basedir and
   safe_mode are simply insecure by design.
   As usual we also strongly recommend to install the latest version
   of our Suhosin Extension. The current version 0.9.6 disallows 
   symlink() while open_basedir is used by default. Additionally it
   comes with configurable function black- and white-lists that
   can work (unlike disable_functions) on a per virtual host basis.

   Grab your copy and more information at:


   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

Version: GnuPG v1.4.3 (GNU/Linux)


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC