Protect against a now-public open_basedir bypass

author: jvoisin 2019-04-07 11:37:37 +0200
committer: jvoisin 2019-04-07 11:37:37 +0200
commit: 9d17a6a02f1f5d9b88b9df75cde2872a4328eee5 (patch)
tree: 57b0c48ec3749fc885caa691979526611ee54179 /config
parent: 809920b8cb130e105847a9956c51a6ecb08e2938 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/config/default.rules b/config/default.rules
index 11d91b9..82f8b5d 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -42,6 +42,13 @@ sp.disable_function.function("mail").param("additional_parameters").value_r("\\-
 # Since it's now burned, me might as well mitigate it publicly
 sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
+# This is also burned:
+# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
+# Since we have no way of matching on two parameters at the same time, we're
+# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
+# Moreover, there are non-public bypasses that are also using this vector ;)
+sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop()
 ##Prevent various `include`-related vulnerabilities
 sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
author	jvoisin	2019-04-07 11:37:37 +0200
committer	jvoisin	2019-04-07 11:37:37 +0200
commit	9d17a6a02f1f5d9b88b9df75cde2872a4328eee5 (patch)
tree	57b0c48ec3749fc885caa691979526611ee54179 /config
parent	809920b8cb130e105847a9956c51a6ecb08e2938 (diff)

diff --git a/config/default.rules b/config/default.rules index 11d91b9..82f8b5d 100644 --- a/config/default.rules +++ b/config/default.rules
@@ -42,6 +42,13 @@ sp.disable_function.function("mail").param("additional_parameters").value_r("\\-
42	# Since it's now burned, me might as well mitigate it publicly	42	# Since it's now burned, me might as well mitigate it publicly
43	sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()	43	sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
44		44
		45	# This is also burned:
		46	# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
		47	# Since we have no way of matching on two parameters at the same time, we're
		48	# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
		49	# Moreover, there are non-public bypasses that are also using this vector ;)
		50	sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop()
		51
45	##Prevent various `include`-related vulnerabilities	52	##Prevent various `include`-related vulnerabilities
46	sp.disable_function.function("require_once").value_r("\.(inc\|phtml\|php)$").allow();	53	sp.disable_function.function("require_once").value_r("\.(inc\|phtml\|php)$").allow();
47	sp.disable_function.function("include_once").value_r("\.(inc\|phtml\|php)$").allow();	54	sp.disable_function.function("include_once").value_r("\.(inc\|phtml\|php)$").allow();