open_basedir restriction is not working as expected

Question

I am performing a pen test on a web server as one of the tasks in an exam, and after exploiting a unrestricted file upload vulnerability (https://www.owasp.org/index.php/Unrestricted_File_Upload), I am trying to access a certain folder on the web server, and I am getting this error:

Warning: scandir(): open_basedir restriction in effect. File(C:\inetpub\sitesdata\mysite.com\SESSIONS\USERS) is not within the allowed path(s): (C:\inetpub\vhosts\mysite.com\subdomains\me\httpdocs;C:\inetpub\sitesdata\mysite.com\SESSIONS\USERS) in C:\inetpub\vhosts\mysite.com\subdomains\me\httpdocs\ticketAttachments\4b3519fbe17e82993e76927e5f253e33\hack.php

Please notice that the path is actually in the allowed paths (I guess that was the point of this task in the exam, to steal all the user sessions).

I do not have access to the server so I cannot change any settings on the server, I only have to get all the sess_* files that are probably stored in that C:\inetpub\sitesdata\mysite.com\SESSIONS\USERS folder.

These are the contents of my hack.php file:

<pre style="text-align:left">
    <?php
        $files = scandir($_GET['path']);
        foreach ($files as $file) {
            echo $file;
            echo "\n";
        }
    ?>
</pre>

I have tried accessing the other path in the allowed paths and it's the same. But the odd thing is that I can read the contents of the C:\inetpub\vhosts\mysite.com\subdomains\me\httpdocs\ticketAttachments, but not the C:\inetpub\vhosts\mysite.com\subdomains\me\httpdocs, which is actually in the allowed paths.

Am I doing something wrong here?

FWIW, things like `function($_GET["foo"]);` are highly insecure and usually completely negates any possible security. Take the value to variable, sanitize it and pass the sanitized value and then start to talk about security again. — Smar, Apr 10 '16 at 08:39
@Smar I agree completely, if that was a part of the code. But that file is an exploit, it is not meant to be secure. I planted it there as a malicious attempt to gain access to the web site, it is meant to be insecure and exploitable. — Nenad Pavicevic, Apr 10 '16 at 08:52
I added Windows-tag as I this is for PHP on Windows, and often there is differences between Linux and Windows when talking about PHP, I wouldn’t be surprised if basedir was one of those. Feel free to delete the tag if you feel it shouldn’t be there. There is also file permissions of Windows, can those affect to this too? — Smar, Apr 10 '16 at 09:07
[The PHP doc](http://php.net/manual/en/ini.core.php#ini.open-basedir) is saying something like ”As an Apache module, open_basedir paths from parent directories are now automatically inherited”. I guess you have Apache on Windows here, so maybe that would be the reason the strange path gets added to the safedir? Maybe there is overriding config elsewhere too? — Smar, Apr 10 '16 at 09:11
Sure, thanks for the update. As for the file permissions, yeah, that might be it too. But as I do not have access to the server, I cannot know. — Nenad Pavicevic, Apr 10 '16 at 09:14
As this is a blackbox test, I know very little about the server and the config. I know it is an IIS 7.5 on Windows Server 2008 with PHP 5.4.13. — Nenad Pavicevic, Apr 10 '16 at 09:17
Talking about security, why in the world PHP returns those allowed paths within the error... — Smar, Apr 10 '16 at 09:20
Well this is an exam environment, it is meant to sort of lead you to things. The entire site is very vulnerable, the goal is to find the vulnerabilities and log in to the admin area. And one of the tasks is to get those sessions. — Nenad Pavicevic, Apr 10 '16 at 09:36
Yes, sorry, that point was kind of offtopic (and this comment too), but I just realized implications of it and had to comment so I remember it :) PHP does that in real environments too. Hiding the errors away would solve it, but often the devs wants to see the errors somewhere, so there can be easy way to access the errors anyway (if they are written to a log). — Smar, Apr 10 '16 at 09:45

score 0 · Answer 1 · answered Apr 10 '16 at 08:05

0

It's a simple typo problem.

You want to access:         C:\inetpub\sitesdata\mysite.com\SESSIONS\USERS
The allowed path contains:  C:\inetpub\sitesdata\mysites.com\SESSIONS\USERS

Notice the missing "s"?

answered Apr 10 '16 at 08:05

Chris

5,571
2
20
32

Oh sorry, I made that typo while typing the question here, I will correct that in the question. – Nenad Pavicevic Apr 10 '16 at 08:16
@NenadPavicevic Really? It looks like it's from a copied and pasted error message. It would surprise me if you had type it all out. – Chris Apr 10 '16 at 08:27
No, I just changed the site name. Sorry for the misunderstanding. – Nenad Pavicevic Apr 10 '16 at 08:31
@NenadPavicevic Could you just confirm you have re-run the code and copied and pasted the error message again rather than just manually correcting it? – Chris Apr 10 '16 at 08:40
No, I manually corrected it. Does it matter? I copied and pasted the message the first time, I just changed the name of the site to mysite.com in order to hide the real name. Is that a problem? – Nenad Pavicevic Apr 10 '16 at 08:47
@NenadPavicevic Yes, that would be a problem. The first error message was telling you that the path you were trying to access was not an allowed path and showed why it wasn't. If you just manually change the error message you remove any value that it provides. – Chris Apr 10 '16 at 08:50
Sorry, I think that we are not on the same page here. In the original error message I got, the paths are identical, I have just made a typo when trying to mask the name of the original site I was working on and changed to mysite.com. So in the original message the path I am trying to access and the path that is in the allowed paths are identical. That is my problem, I do not know why I cannot access it, when it is stated in that allowed paths. – Nenad Pavicevic Apr 10 '16 at 08:57
@NenadPavicevic Oh, okay that makes sense. – Chris Apr 10 '16 at 08:59
Yeah, sorry for the misunderstanding. :) – Nenad Pavicevic Apr 10 '16 at 09:02

Viktor Mares · Answer 2 · 2023-03-30T10:28:21.120

The issue is not related to the code, but to the path restriction.

allowed path(s):

C:\inetpub\vhosts\mysite.com\subdomains\me\httpdocs

C:\inetpub\sitesdata\mysite.com\SESSIONS\USERS

You are not able to read from the above folders, but from directories after these folders.

As an example, let's use the path from your error message:

C:\inetpub\vhosts\mysite.com\subdomains\me\httpdocs\ticketAttachments\4b3519fbe17e82993e76927e5f253e33\hack.php

Because of the allowed path, you can read from the following directories/files:

C:\inetpub\vhosts\mysite.com\subdomains\me\httpdocs\ticketAttachments\4b3519fbe17e82993e76927e5f253e33\hack.php

C:\inetpub\vhosts\mysite.com\subdomains\me\httpdocs\ticketAttachments\4b3519fbe17e82993e76927e5f253e33

C:\inetpub\vhosts\mysite.com\subdomains\me\httpdocs\ticketAttachments

But you won't be able to read from:

C:\inetpub\vhosts\mysite.com\subdomains\me\httpdocs

Therefore, to solve this issue, you need to read from the directory

C:\inetpub\sitesdata\mysite.com\SESSIONS\USERS\THIS_DIRECTORY_ONWARDS

Also, as another hint for anyone else having trouble with this. Single quotes & double quotes in PHP have a different effect on the variables and escape sequences within the string literal.

P.S.: I did the same exam and had some troubles, which is how I came across this thread. I know the solution, therefore have left some breadcrumbs and thoughts here for other people to not make the same mistake.

open_basedir restriction is not working as expected

2 Answers2