[RESOLVED] "open_basdir restriction in effect" because query string is being misinterpreted (?)

cbj4074

Might anyone know why I am receiving an "open_basdir restriction in effect" message when the file in question appears to be within one of the allowed paths?

Here's the error message:

[Tue May 14 05:26:52 2013] [warn] [client 1.2.3.4] mod_fcgid: stderr: PHP Warning:  file_exists(): open_basedir restriction in effect. File(/var/www/example.com/web/wp-content/themes/ElegantEstate/timthumb.php/wp-content/uploads/2012/09/Copy-of-Reta) is not within the allowed path(s): (/var/www/clients/client7/web23/web:/var/www/clients/client7/web23/tmp:/var/www/example.com/web:/var/www/example.com/tmp:/srv/www/example.com/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/usr/share/squirrelmail:/etc/squirrelmail:/etc/mailname:/etc/hostname:/usr/share/php:/etc/roundcube/:/usr/share/roundcube:/var/log/roundcube:/var/lib/roundcube:/var/www/clients/client7/web23/protected:/var/www/example.com/protected) in /var/www/clients/client7/web23/web/wp-content/themes/ElegantEstate/timthumb.php on line 849

Is this happening because Apache interprets the bold portion of /var/www/example.com/web/wp-content/themes/ElegantEstate/timthumb.php/wp-content/uploads/2012/09/Copy-of-Reta is an actual filesystem path (when it should be interpreted as a query string that is passed to the PHP script, timthumb.php?

If so, what might the fix be? Some mod_rewrite change?

Thanks in advance!

bradgrafelman

cbj4074;11029439 wrote:
Is this happening because Apache interprets the bold portion of /var/www/example.com/web/wp-content/themes/ElegantEstate/timthumb.php/wp-content/uploads/2012/09/Copy-of-Reta is an actual filesystem path (when it should be interpreted as a query string that is passed to the PHP script, timthumb.php?

Can you show us line 849 of timthumb.php?

cbj4074

Hi, bradgrafelman, and thanks for the quick reply.

Sure, here's the surrounding PHP code:

$base = $this->docRoot;
foreach (explode('/', str_replace($this->docRoot, '', $_SERVER['SCRIPT_FILENAME'])) as $sub){
        $base .= $sub . '/';
        $this->debug(3, "Trying file as: " . $base . $src);
        if(file_exists($base . $src)){
                $this->debug(3, "Found file as: " . $base . $src);
                $real = realpath($base . $src);
                if(strpos($real, $realDocRoot) === 0){
                        return $real;
                } else {
                        $this->debug(1, "Security block: The file specified occurs outside the document root.");
                        //And continue search
                }
        }
}
return false;

Line 849 contains "if(file_exists($base . $src)){". Unfortunately, this is on a production website, so my ability to var_dump() and similar is limited. I suppose that I could always log debugging output to file, or output it within HTML remarks, but my hope is that someone can point-out the likely solution (if one is to be had) before any of that becomes necessary.

Just let me know if more source code snippets are needed.

Thanks again!

cbj4074

After performing additional research on this issue, I noticed that "legitimate" requests to this script include a "src" query string parameter, e.g., the string "?src=/path/to/requested/image.jpg". If I specify the path in that format, the script returns the expected output (an actual thumbnail image).

So, I'm beginning to wonder if these warnings aren't simply the result of search engines or bots that are obtaining invalid URLs from one place or another, and not so much the hallmark of a true "problem".

In Apache's access.log:

/var/www/example.com/log/20130609-access.log:199.21.99.115 - - [09/Jun/2013:05:23:13 -0700] "GET /wp-content/themes/ElegantEstate/timthumb.php?src=http://example.com/wp-content/uploads/2012/09/TestImage-1. HTTP/1.1" 400 214 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"

And the corresponding entry in Apache's error.log:

/var/www/example.com/log/error.log:[Sun Jun 09 05:23:13 2013] [warn] [client 199.21.99.115] mod_fcgid: stderr: PHP Warning:  file_exists(): open_basedir restriction in effect. File(/var/www/example.com/web/wp-content/themes/ElegantEstate/timthumb.php/wp-content/uploads/2012/09/TestImage-1.) is not within the allowed path(s): (/var/www/clients/client7/web23/web:/var/www/clients/client7/web23/tmp:/var/www/example.com/web:/var/www/example.com/tmp:/srv/www/example.com/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/usr/share/squirrelmail:/etc/squirrelmail:/etc/mailname:/etc/hostname:/usr/share/php:/etc/roundcube/:/usr/share/roundcube:/var/log/roundcube:/var/lib/roundcube:/var/www/clients/client7/web23/protected:/var/www/example.com/protected) in /var/www/clients/client7/web23/web/wp-content/themes/ElegantEstate/timthumb.php on line 849

I noticed that the HTTP GET request from access.log includes the entire URL (including protocol and host). So, I tried including the full URL to a real/existing image, and that works as expected, too.

I then noticed that the file name of the requested image is truncated in the GET request: the real file name is "TestImage-1-Large.jpg" (and the GET request includes only "TestImage-1").

It seems the bottom line is that TimThumb is simply poorly-written and doesn't perform a few simple checks that could eliminate this junk from my error logs.

In any case, I don't think this is worth troubleshooting any further. I really appreciate the feedback nonetheless.

Cheers!