Implementation of the open_basedir option in PHP is incorrect and leads to race condition. This can allow an attacker to bypass the checks and gain access to protected files.

Enabled open_basedir option tries to limit the list of files that can be handled by PHP programs specified in php.ini directories. If the working directory is specified using ., the directory can be modified by an attacker using chdir().

The implementation of the open_basedir option is incorrect and leads to a race condition of type TOCTOU (time-of-check, time-of-use). A race condition occurs because of the uncertainty of the order of the operations of access rights check and opening the file. An attacker can exploit this and replace the symbolic link, thereby obtaining an access to a protected file.

The window of opportunity for an attacker is limited to the time between access rights check and opening the file. Modern operating systems do not provide guarantees as to how much code is executed before a certain process will have access to the processor. There are techniques that extend this range. In any case, the attack can be repeated until it succeeds.

PHP : Undocumented feature: time bomb

DerScanner Severity Score

Do you want to fix PHP : Undocumented feature: time bomb in your application?

See also