Warning: file_exists(): open_basedir restriction in effect. File(/tmp/mysql.sock) is not within the allowed path(s): (/home/remiphpcgi1781051155/:/usr/share/) in /home/remiphpcgi1781051155/remiphp-cgi.178-105-115-5.myboltip.com/public_html/index.php on line 154

Warning: file_exists(): open_basedir restriction in effect. File(/tmp/.s.PGSQL.5432) is not within the allowed path(s): (/home/remiphpcgi1781051155/:/usr/share/) in /home/remiphpcgi1781051155/remiphp-cgi.178-105-115-5.myboltip.com/public_html/index.php on line 154

Warning: file_exists(): open_basedir restriction in effect. File(/var/lib/mysql/mysql.sock) is not within the allowed path(s): (/home/remiphpcgi1781051155/:/usr/share/) in /home/remiphpcgi1781051155/remiphp-cgi.178-105-115-5.myboltip.com/public_html/index.php on line 154
Tenant Isolation & Impersonation Test

Tenant Isolation & Impersonation Test

SAPI: cgi-fcgi · PHP: 8.4.22 · Host: www.remiphp-cgi.178-105-115-5.myboltip.com · DOC_ROOT: /home/remiphpcgi1781051155/remiphp-cgi.178-105-115-5.myboltip.com/public_html · Tenant: remiphpcgi1781051155

1) open_basedir

Check	Value	Result	Note
open_basedir	`/home/remiphpcgi1781051155/:/usr/share/`	PASS	restriction set
read /etc/passwd	`denied`	PASS	blocked
list /etc	`denied`	PASS	blocked
list / (root)	`denied`	PASS	blocked
list /home (tenant enumeration)	`denied`	PASS	blocked
read /etc/shadow	`denied`	PASS	blocked (DAC/basedir)

2) /tmp cross-tenant leak

Warning: file_exists(): open_basedir restriction in effect. File(/tmp/pentest_public_html_2aaf2e5ed3a52a64f22a3729359e2e09.txt) is not within the allowed path(s): (/home/remiphpcgi1781051155/:/usr/share/) in /home/remiphpcgi1781051155/remiphp-cgi.178-105-115-5.myboltip.com/public_html/index.php on line 506

Check	Value	Result	Note
this tenant tmp file	`/tmp/pentest_public_html_2aaf2e5ed3a52a64f22a3729359e2e09.txt`	PASS	not planted yet
other tenants /tmp markers	`none`	PASS	no foreign pentest_* visible
*/tmp/sess_ leak**	`none`	PASS	no foreign sess_* readable
/tmp/mysql.sock exists?	`no`	PASS	not present
/tmp/.s.PGSQL.5432 exists?	`no`	PASS	not present
/var/lib/mysql/mysql.sock exists?	`no`	PASS	not present

3) suEXEC / process identity

Check	Value	Result	Note
PHP process user	`remiphpcgi1781051155 (uid=? gid=? real_uid=?)`	PASS	looks per-user
Process groups		PASS	must NOT be in "apache" group (would allow reading other FPM sockets)
Expected owner from DOC_ROOT	`remiphpcgi1781051155`	PASS	matches
Newly-written file owner	`2002`	FAIL	wrong owner

4) Cross-tenant impersonation (target: `bobi`)

Probe	Result	Status	Note
stat /home/bobi	`denied`	PASS	blocked
list /home/bobi	`denied`	PASS	blocked
list /home/bobi/public_html	`denied`	PASS	blocked
read /home/bobi/.bashrc	`denied`	PASS	blocked
read /home/bobi/.bash_history	`denied`	PASS	blocked
read /home/bobi/.ssh/authorized_keys	`denied`	PASS	blocked
read /home/bobi/.ssh/id_rsa	`denied`	PASS	blocked
list /home/bobi/tmp/sessions	`denied`	PASS	blocked
write to /home/bobi/tmp/	`denied`	PASS	blocked
common config files (wp-config/.env/etc.)	`none readable`	PASS	blocked

5) open_basedir bypass tricks

Trick	Result	Status	Note
symlink to /etc/passwd	`blocked`	PASS	blocked
symlink /tmp -> /home/bobi/.bashrc	`blocked`	PASS	blocked
glob:// /etc/*	`blocked (only tz symlink resolved into /usr/share)`	PASS	blocked
glob:// /root/*	`blocked`	PASS	blocked
phar:// write test	`n/a`	N/A	self-target — not a cross-tenant probe
chdir + ../ escape	`blocked`	PASS	blocked
realpath() outside basedir	`null`	PASS	blocked

6) disable_functions & command execution

Function	State	Status	Note
exec	`disabled`	PASS
shell_exec	`disabled`	PASS
system	`disabled`	PASS
passthru	`disabled`	PASS
proc_open	`disabled`	PASS
popen	`disabled`	PASS
pcntl_exec	`disabled`	PASS
mail	`ENABLED`	PASS
imap_open	`disabled`	PASS
dl	`disabled`	PASS
putenv	`ENABLED`	PASS
posix_kill	`disabled`	PASS
posix_setuid	`disabled`	PASS
posix_seteuid	`disabled`	PASS
actual `id` output	`(all blocked) backtick=EXC:Call to undefined function shell_exec()`	PASS	all exec attempts blocked

7) /proc enumeration

Check	Value	Status	Note
list /proc	`denied`	PASS	blocked
read /proc/self/status	`denied`	PASS	blocked
read /proc/<PID>/environ or cmdline of other PIDs	`none`	PASS	blocked

8) Privilege escalation / FPM socket impersonation

Probe	Result	Status	Note
posix_setuid(0)	`disabled`	PASS	expected to fail
posix_seteuid(0)	`disabled`	PASS	expected to fail
*list /run .sock**	`denied/none`	PASS	blocked
connect to foreign FPM socket	`n/a`	N/A	nothing foreign to test against

raw php config

Setting	Value
open_basedir	`/home/remiphpcgi1781051155/:/usr/share/`
disable_functions	pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,exec,passthru,shell_exec,system,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,popen,dl,show_source,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
upload_tmp_dir	`/home/remiphpcgi1781051155/tmp`
sys_temp_dir	`/home/remiphpcgi1781051155/tmp`
session.save_path	`/home/remiphpcgi1781051155/tmp/sessions`
sendmail_path	`/usr/sbin/sendmail -t -i`

Tip: deploy this same file to /home/bobi/... and visit both vhosts. Use ?action=plant on tenant A, then visit tenant B with ?other=remiphpcgi1781051155 — section 4 should show all PASS.