My configuration prevents users to browse the file system thanks to limitations set up in php-fpm (How to disable open_basedir and allow_url_fopen in PHP)
I have recently discovered a hacked site with a tool installed to bypass this limitation
The full explanations are on https://balsn.tw/ctf_writeup/20190323-0ctf_tctf2019quals/#wallbreaker-easy
It's basically a client/server FastCGI application allowing to by pass such restrictions. Thanks to this, the hacker was able to read some configuration files he wasn't allow to see.
Is there a way to avoid this (except of course making a jail for php-fpm) ?
It seems the most elegant solution on Ubuntu is the use of AppArmor (and I guess SELinux on Redhat)
There is even good working configuration described on https://kb.linuxlove.xyz/fpm-apparmor.html