PHP open_basedir Is Not Configured
Description
The PHP open_basedir directive restricts file system access to a specified directory tree, preventing scripts from accessing files outside the designated path. When properly configured, this directive acts as a security boundary that limits which files can be opened by PHP functions such as fopen(), file_get_contents(), and include(). Without this restriction, applications are more vulnerable to path traversal and local/remote file inclusion attacks, as attackers can potentially access sensitive files anywhere on the server's file system.
Remediation
Configure the open_basedir directive to restrict PHP file access to only the directories required by your application. This should be set in your php.ini configuration file or within your web server's virtual host configuration.
Method 1: Global Configuration (php.ini)
Add or modify the following line in your php.ini file:
open_basedir = "/var/www/html/:/tmp/"
This example restricts access to the web root and temporary directory. Adjust paths according to your application's needs.
Method 2: Per-Virtual Host (Apache)
Add the following to your Apache virtual host configuration:
php_admin_value open_basedir "/var/www/yourapp/:/tmp/"
Method 3: Per-Virtual Host (Nginx with PHP-FPM)
Add to your PHP-FPM pool configuration:
php_admin_value[open_basedir] = /var/www/yourapp/:/tmp/
After configuration, restart your web server and PHP service. Verify the setting is active by checking phpinfo() output. Use the most restrictive path possible while ensuring your application functions correctly. Separate multiple allowed directories with a colon (:) on Linux or semicolon (;) on Windows.