Author Topic: open_basedir restriction in effect  (Read 27437 times)

0 Members and 1 Guest are viewing this topic.

rascomm

  • Jr. Member
  • **
  • Posts: 2
open_basedir restriction in effect
« on: September 26, 2013, 02:00:02 PM »
Hey guys... i have been trying to make the messenger coexist with a joomla installation, finally I moved the Mibew messenger to a subdomain to keep the two applications separated so joomla runs under / at domain.com and the messenger runs under /.SubDomains/mibew at mibew.domain.com.

Joomla requires magic_quotes_gpc = Off to work, so I had to create a local php.ini file under / and it works perfectly. The problem comes with mibew as this php.ini affects everything under /.

I am getting open_basedir errors, like this:

Code: [Select] [nofollow]
Warning: session_start() [function.session-start]: open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/home/user/public_html/.SubDomains/mibew/libs/../) in /home/user/public_html/.SubDomains/mibew/libs/common.php

This is my php.ini:

Code: [Select] [nofollow]
register_globals = Off
safe_mode = Off
allow_url_fopen = Off
allow_url_include = Off
;display_errors = Off
magic_quotes_gpc = Off
memory_limit = 64M
upload_max_filesize = 8M
upload_tmp_dir = /home/user/tmp
open_basedir = /tmp:/home/user/tmp:/home/user/public_html/.SubDomains/mibew:/home/user/public_html/.SubDomains/mibew/libs
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

If I comment the open_basedir line altogether i still get error messages regarding /tmp not being within the allowed paths in open_basedir.

Linux Kernel      2.6.18-448.4.1.el5.lve0.8.69
Apache version    2.2.24
MySQL version    5.1.59-rel13.0-log
PHP version    5.3.21

Any help is greatly appreciated.

RAM


faf

  • Mibew Staff Member
  • Native
  • *****
  • Posts: 883
    • Mibew Messenger
Re: open_basedir restriction in effect
« Reply #1 on: September 26, 2013, 09:20:40 PM »
Please, provide the output of phpinfo() and more details on your hosting environment (i.e. OS, what mode PHP is running in, etc.).

rascomm

  • Jr. Member
  • **
  • Posts: 2
Re: open_basedir restriction in effect
« Reply #2 on: September 26, 2013, 10:52:53 PM »
Thanks FAF, i got it working, just had to declare
Code: [Select] [nofollow]
session.save_path = /home/user/tmp/sessions in my local php.ini, so that open_basedir will also include
Code: [Select] [nofollow]
open_basedir = /tmp:/home/user/tmp:/home/user/tmp/sessions:/home/user/public_html/.SubDomains/mibew
Thanks!

faf

  • Mibew Staff Member
  • Native
  • *****
  • Posts: 883
    • Mibew Messenger
Re: open_basedir restriction in effect
« Reply #3 on: September 26, 2013, 10:57:48 PM »
Actually, there is nothing to thank me for. However, you're welcome!  :)

maitane

  • Full Member
  • ***
  • Posts: 7
Re: open_basedir restriction in effect
« Reply #4 on: October 25, 2013, 02:22:37 PM »
Hi!
I'm having the same problem, but I don't understand how you solved it.

I installed osTicket support sistem on my website. Under that directory, I created "chat" directory where I have installed Mibew. The installation gone well and I have installed spanish language without any problem.

On the "index.php" page of the osTicket website I have placed Mibew button: "require('chat/mibewbutton.php');".
Where the php file contains this code: http://mibew.org/forums/index.php/topic,1189.0.html .

It works fine.

My problem is that on the same "index.php" this line:
"require(CLIENTINC_DIR.'footer.inc.php');" gives me an error:

Code: [Select]
PHP Warning:  require(): open_basedir restriction in effect. File(/home/myuser/public_html/osticket/include/client/footer.inc.php) is not within the allowed path(s): (/home/myuser/public_html/osticket/chat/libs/../) in /home/myuser/public_html/osticket/index.php on line 67
Before putting "require('chat/mibewbutton.php');" worked fine.

Could you tell me if it's problem from Mibew or osTicket?

(Sorry about my english)

maitane

  • Full Member
  • ***
  • Posts: 7
Re: open_basedir restriction in effect
« Reply #5 on: October 25, 2013, 03:30:11 PM »
I read that the problem is in the file common.php in libs directory. It says:
Code: [Select]
// Prevent Mibew from access to files outside the installation
@ini_set('open_basedir', dirname(__FILE__) . '/../');

Could someone tell me what I have to do to change or disable this restriction? Why is it there, which is his function?

faf

  • Mibew Staff Member
  • Native
  • *****
  • Posts: 883
    • Mibew Messenger
Re: open_basedir restriction in effect
« Reply #6 on: October 25, 2013, 03:36:51 PM »
Uh-oh...  :-\

First of all, the recipe you've used is almost two years old (not to mention that it's a little bit weird). In modern stable Mibew Messenger 1.6.7 there were fixed a lot of security issues.

open_basedir restriction has been adopted to make sure that even if someone will compromise a Mibew installation, it will be impossible  from a compromised code to access any file that is not a part of the application: http://www.php.net/manual/en/ini.core.php#ini.open-basedir

So, the cause of your problem is that you're including a part of Mibew into your code and by doing so activating that open_basedir restriction. And then you're trying to access the file that is not a part of Mibew and by doing so getting an exception.

There could be several ways to solve your trouble. The most simple one is to remove @ini_set('open_basedir',... string from the libs/common.php. Though, I'd not recommend you do do so due to both security reasons and the fact that you'll have to repeat this operation after each upgrade of Mibew Messenger.

Other ways will require some programming skills. For example, one could hide the button if the filename in the src attribute of the image is ended with the postfix '_off', or create a custom button generation code.

maitane

  • Full Member
  • ***
  • Posts: 7
Re: open_basedir restriction in effect
« Reply #7 on: October 25, 2013, 05:51:17 PM »
Thanks for your response. Sorry about my ignorance and my limited "programming skils", but...:

Quote
one could hide the button if the filename in the src attribute of the image is ended with the postfix '_off'

If I'm not wrong, it would require to modify the b.php file which is who makes the image src:
Code: [Select]
$image_postfix = has_online_operators($groupid) ? "on" : "off";
$filename = dirname(__FILE__) . "/locales/${lang}/button/${image}_${image_postfix}.gif";

So I could make that if image_postfix is _off, like you said, the filename to be empty. But, in this case, it would appear the "image not found" icon when the web loads. Any idea about how could I solve this?




faf

  • Mibew Staff Member
  • Native
  • *****
  • Posts: 883
    • Mibew Messenger
Re: open_basedir restriction in effect
« Reply #8 on: October 25, 2013, 06:15:15 PM »
Quote
one could hide the button if the filename in the src attribute of the image is ended with the postfix '_off'

If I'm not wrong, it would require to modify the b.php file

Sorry, but you're wrong. I've talked about client-side solution that could be implemented in JavaScript.

maitane

  • Full Member
  • ***
  • Posts: 7
Re: open_basedir restriction in effect
« Reply #9 on: October 25, 2013, 07:06:57 PM »
Quote
one could hide the button if the filename in the src attribute of the image is ended with the postfix '_off'

If I'm not wrong, it would require to modify the b.php file

Sorry, but you're wrong. I've talked about client-side solution that could be implemented in JavaScript.

Oh, ok, thanks  :)

And what about not hide the image, put another link to the offline image instead?

faf

  • Mibew Staff Member
  • Native
  • *****
  • Posts: 883
    • Mibew Messenger
Re: open_basedir restriction in effect
« Reply #10 on: October 25, 2013, 10:42:05 PM »
And what about not hide the image, put another link to the offline image instead?

There is no simple and right way to do that in Mibew 1.6.x. At the same time, you have the recipe that should work if you disable the open_basedir restriction, so in your case it could be the lesser of evils.