PHP open_basedir is not set
Description
The PHP open_basedir directive is a security configuration that restricts file system access to a specified directory tree. When properly configured, it prevents PHP scripts from accessing files outside the designated paths using functions like fopen(), file_get_contents(), or include(). Without this restriction, applications are more vulnerable to path traversal and local/remote file inclusion attacks, as malicious actors can potentially access sensitive files anywhere on the server's file system.
Remediation
Configure the open_basedir directive to restrict PHP file access to your application's directory and any required system paths.
Method 1: Configure in php.ini (Recommended for server-wide protection)
; Restrict to application directory and temp folder open_basedir = /var/www/html/your_app:/tmp
Method 2: Configure in Apache VirtualHost
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/html/your_app
php_admin_value open_basedir "/var/www/html/your_app:/tmp"
</VirtualHost>Method 3: Configure in .htaccess (if allowed)
php_value open_basedir "/var/www/html/your_app:/tmp"
After configuration, restart your web server and verify the setting using phpinfo() or by checking php_ini_loaded_file(). Ensure all legitimate application paths are included to prevent functionality issues.