When accessing files on the local filesystem, PHP can enforce security checks to defend against some attacks. The open_basedir setting
in the main PHP configuration defines a set of directories that the application is allowed to access. Access to locations outside of these directories
will be blocked.
The PHP runtime will allow the application to access all files underneath the configured set of directories. If no value is set, the application may access any file on the filesystem.
open_basedir is commonly used to ensure that a PHP application can only access files needed for the application function. While
deactivating this setting does not pose a direct threat to the application’s security, it can make exploitation of other vulnerabilities easier and
more severe.
If an attacker can exploit a path traversal vulnerability, they will be able to access any file made available to the application’s user account. This may include system-critical or otherwise sensitive files.
In shared hosting environments, a vulnerability can affect all co-hosted applications and not only the vulnerable one. open_basedir
can help limit the scope of the compromise in that case.
The main PHP configuration should define the open_basedir setting. This setting should not include overly large directories, such as
the root directory of the filesystem.
Adding the current directory, denoted by “.”, to the open_basedir configuration is also dangerous. It is possible to change the
current directory within PHP scripts by calling chdir(), effectively removing any protection.
; php.ini
open_basedir="/:${USER}/scripts/data" ; Noncompliant; root directory in the list
; php.ini ; open_basedir= ; Noncompliant; setting commented out
; php.ini
open_basedir="${USER}/scripts/data"
; php.ini try 1 open_basedir="/var/www/myapp/data"