The open base directory (open_basedir) in PHP is a security function which is used to define the locations or paths from which the PHP is allowed to access files. The open_basedir function is used to create a whitelist of all the web’s accessible folders. Any request for files outside the open_basedir’s list will be rejected. The open base directory enables the usage of two functions; fopen() and gzopen(). If open_basedir is turned off, the attacker will be able to access any files using PHP. The open_basedir can be found in apache configuration file or httpd.config file with the setting name as php_admin_value open_basedir. Using phpinfo() function an attacker can confirm if the site has disabled or enabled the open base directory. If the open base directory is disabled, he can plan an attacker according to the vulnerability.
The following code is the example of disabled open_basedir.
Using this vulnerability, an attacker can:-
Beagle recommends the following fixes:-