[BlueOnyx:12173] Re: {Disarmed} Re: PHP Issues on 5108R

[Greg Kuhnert]

Hi David & RC.

On 09/02/2013, at 7:03 AM, David Hahn <ml at sb9.com> wrote:

> On 2/8/2013 10:31 AM, Richard Barker wrote:
>> After installing a component in Joomla 2.5.9 I get this error when 
>> trying to use that component.
>> 
>> PHP Warning:  require_once(): open_basedir restriction in effect. 
>> File(/usr/share/pear/PEAR.php) is not within the allowed path(s): 
>> 
>> The site php path is this:
>> Open Basedir (Server):
>> /home/
>> /home/.sites/70/site4
>> /tmp/
>> /usr/sausalito/configs/php/
>> /var/lib/php/session/
>> /var/www/html/
>> 
>> And the Open Basedir (Vsite):
>> is empty
>> 
>> Thanks,
>> RC
>> 
> Try using just '/' forward slash in the GUI. Open Basedir (Vsite): field
> This defeats the security of open base but allows the script to run.
> HTH
> David

Doesn't it make more sense to allow ONLY the directory you need for your app, instead of disabling openbasedir security totally? If I had a user who had trouble remembering his password, would I fix that by turning off passwords for all users? I don't think so.

If you bypass openbasedir, a vulnerability in a PHP app in one vsite may be able to modify files in more than just one vsite - especially if you are not using suphp. Thats why openbasedir was invented. In the early days - Michael blocked doing stuff like putting this to help keep people secure... but too many people complained. I personally wish he did not relent and kept the logic in there to stop this type of insecure configuration.

Lets think about what is actually required. The log says that /usr/share/pear/PEAR.php is not in the allowed paths. Wouldnt it make more sense to just add /usr/share/pear/ into the server wide allowed path? This will keep this joomla module happy, and at the same time keep the server secure.

Regards,
Greg.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130209/3aff0eeb/attachment.html>