PHP open_basedir Is Not Configured

Severity: Low

Invicti detected that the open_basedir configuration directive was not set.


The open_basedir configuration directive can be used to restrict the folders from which local files may be included by PHP. It, therefore, acts as an effective defense-in-depth mechanism against local file inclusions. It works by taking the path to your web application as a parameter and subsequently refusing access to any file or folder that is further up in the directory tree. 

It is important to note that attackers might still include configuration files under the specified directory or read the content of your PHP scripts, should they find a local file inclusion vulnerability in your application. This directive solely prevents them from including other files on the system, such as your server's access log.

Actions To Take#

In order to activate the open_basedir protection, you need to define a php.ini directive of the same name. This can be set in the php.ini file by adding or modifying the directive as seen in the example below.

open_basedir = /var/www/html/

Please note that in the versions below PHP 5.3.0, the mode for allowing to change the directive was specified as PHP_INI_SYSTEM, which means that it was only possible to set it in the php.ini or httpd.conf files. However, starting from PHP 5.3.0, this changed to PHP_INI_ALL, which means it can be set in php.ini, .htaccess, httpd.conf, user.ini, and the Windows registry or programmatically using ini_set().


Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works