The PHP runtime will allow the application to access all files underneath the configured set of directories. If no value is set, the application
may access any file on the filesystem.
What is the potential impact?
open_basedir is commonly used to ensure that a PHP application can only access files needed for the application function. While
deactivating this setting does not pose a direct threat to the application’s security, it can make exploitation of other vulnerabilities easier and
more severe.
If an attacker can exploit a path traversal vulnerability, they will be able to access any file made available to the application’s user account.
This may include system-critical or otherwise sensitive files.
In shared hosting environments, a vulnerability can affect all co-hosted applications and not only the vulnerable one. open_basedir
can help limit the scope of the compromise in that case.
