Building DevSecOps solutions using AWS, Terraform and Kubernetes

PHP Security Tips - open_basedir

  • 28th August 2021
"Terrible at creating videos, great at buiding e-commerce solutions"

What is open_basedir?

As someone who has inherited a lot of neglected PHP servers over the years, one simple security feature that is often over looked is open_basedir.

This feature takes seconds to configure, and restricts the directories PHP can access. This adds a layer of protection in the case of a directory traversal vulnerability.

For example, take this bad code:

<?php readfile($_GET['image']); ?>

Without open_basedir, this could read any file on the server.

However, once it is configured then only the specified directories could be read by this command.

Limitations

It is important to note that this is not a magic bullet. If someone can write PHP code on your server then they can still access files outside of the directory. For example:

<?php system('cat /etc/passwd'); ?>

Like with all security, the focus should be on defense in depth.

Rhuaridh

Please get in touch through my socials if you would like to ask any questions - I am always happy to speak tech!

Hello, I am a Senior DevSecOps Engineer working in the e-commerce and fintech space. I occassionally like to blog about stuff.

Disclaimer

Technology moves fast, and it's not always possible to keep blog posts up to date.

Please read the disclaimer.