Let me begin with the fact that I know that this is given a lot. Nothing answers my problem.
Script kiddies look for admin paths by clicking URLs like
mysite.com/index.php/admin/login
The main file intercepts their request and looks for whether they want to request the real file. This is rejected without warning on servers where open_basedir is not configured, which is the correct behavior. Unfortunately, on servers where we use open_basedir, the file_exists function throws warnings.
I narrowed it down to a simple example.
Put this in index.php and change the path to the folder where your php files are
<?php
ini_set('open_basedir', '/path/to/files');
var_dump(
ini_get('open_basedir'),
file_exists(realpath('index.php').'/')
);
Now you see a warning, for example
Warning: file_exists() [<a href='function.file-exists'>function.file-exists</a>]: open_basedir restriction in effect. File(/path/to/files/index.php/) is not within the allowed path(s): (/path/to/files) in /path/to/files/index.php on line
edit:
It should be noted that requesting a nonexistent file with a trailing slash does not raise a warning.
var_dump('/path/to/files/bogus.php/');
false, .
, , ?
second edit:
php 5.3.3-7 + squeeze17