search

e107inc / e107

e107 Bootstrap CMS (Content Management System) v2 with PHP, MySQL, HTML5, jQuery and Twitter Bootstrap. Issue Discussion Room: https://gitter.im/e107inc/e107
https://e107.org
GNU General Public License v3.0
323 stars 214 forks source link

File Inspector tries to traverse above the e107 docroot #4844

Closed Deltik closed 2 years ago

Deltik commented 2 years ago

Bug Description

Report by @dimmskii from Gitter:

[Mon Aug 08 00:33:58.185203 2022] [php7:error] [pid xxxxxx] [client xxx.xxx.xxx.xxx:xxxxx] PHP Fatal error: Uncaught RuntimeException: SplFileInfo::isDir(): open_basedir restriction in effect. File(/var/www/www.mydomain.com/htdocs/..) is not within the allowed path(s): (/var/www/www.mydomain.com/htdocs/) in /var/www/www.mydomain.com/htdocs/e107_admin/fileinspector.php:608
Stack trace:
#0 /var/www/www.mydomain.com/htdocs/e107_admin/fileinspector.php(608): SplFileInfo->isDir()
#1 /var/www/www.mydomain.com/htdocs/e107_admin/fileinspector.php(594): file_inspector->inspect_existing()
#2 /var/www/www.mydomain.com/htdocs/e107_admin/fileinspector.php(932): file_inspector->inspect()
#3 /var/www/www.mydomain.com/htdocs/e107_admin/fileinspector.php(156): file_inspector->scan_results()
#4 /var/www/www.mydomain.com/htdocs/e107_handlers/admin_ui.php(1080): fileinspector_admin->init()
#5 /var/www/www.mydomain.com/htdocs/e107_admin/fileinspector.php(249): e_admin_dispatcher->__construct()
#6 {main}
 thrown in /var/www/www.mydomain.com/htdocs/e107_admin/fileinspector.php on line 608, referer: https://www.mydomain.com/e107_admin/fileinspector.php?core=none&type=tree&missing=1&noncore=1&oldcore=1&scan=a4807caec4e844118a8c837616354631&mode=main&action=run

File scanner wants to access docroot/.. for some reason

I have php admin value base_opendir set to my doc root in my vhost

Temp is within docroot

But does e107 require traversal all the way down to root of my unix or something

dimmskii commented 2 years ago

4845 Tested to work on same server where issue reproduced.