Phpinfo() Open Base Directory Is Disabled

By
Nash N Sulthan
Published on
02 Jul 2018
1 min read
Vulnerability

The open base directory (open_basedir) in PHP is a security function which is used to define the locations or paths from which the PHP is allowed to access files. The open_basedir function is used to create a whitelist of all the web’s accessible folders. Any request for files outside the open_basedir’s list will be rejected. The open base directory enables the usage of two functions; fopen() and gzopen(). If open_basedir is turned off, the attacker will be able to access any files using PHP. The open_basedir can be found in apache configuration file or httpd.config file with the setting name as php_admin_value open_basedir. Using phpinfo() function an attacker can confirm if the site has disabled or enabled the open base directory. If the open base directory is disabled, he can plan an attacker according to the vulnerability.

Example

The following code is the example of disabled open_basedir.

        php_admin_value open_basedir none

    

Impact

Using this vulnerability, an attacker can:-

  • execute any files using PHP.
  • perform any attacks to extract sensitive information from the server.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Enable open_basedir.
  • Use input filtering methods.
  • Use updated versions of PHP.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment