php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #15375 safe_mode wrappers fail for MySQL (other exts?)
Submitted: 2002-02-04 21:10 UTC Modified: 2003-04-24 04:21 UTC
Votes:6
Avg. Score:5.0 ± 0.0
Reproduced:6 of 6 (100.0%)
Same Version:1 (16.7%)
Same OS:6 (100.0%)
From: matslin at orakel dot ntnu dot no Assigned: zak (profile)
Status: Closed Package: MySQL related
PHP Version: 4.1.1 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2002-02-04 21:10 UTC] matslin at orakel dot ntnu dot no 
A message was posted at bugtraq earlier about a problem with safe_mode and the mysql-library used. the message is available here:

http://www.orakel.ntnu.no/~matslin/php4_safe_mode.txt

I searched the bugdb, but the bug doesnt not seem to be reported. As the author says in the mail, this may be a problem with other extensions as well.

As far as i can see, this could probably be fixed in the send_file_to_server-function in libmysql.c, more specific somewhere around line 1776 (there is also some mention about this in the mail).

The 'bug' makes it possible to read all files readable for php, even if its running in safe mode, basedir-restrictions etc. More info in the mail.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-02-04 21:33 UTC] matslin at orakel dot ntnu dot no 
it occured to me (while brushing my teeth in fact :)) that this may be something that has to be patched in the query-parser instead, since the solution i'm talking about will break if the user decide to build from a custom libmysql-installation.
 [2002-02-05 01:32 UTC] zak@php.net 
Thank you for your report!

The BugTraq advisory is spurious. Issues of this nature 
can be avoided by revoking the FILE permission of the 
database user.

Review:
http://www.mysql.com/doc/M/y/MySQL_Database_Administration.html
http://www.mysql.com/doc/P/r/Privilege_system.html
 [2002-02-05 06:08 UTC] matslin at orakel dot ntnu dot no 
while that would be a obvious solution, this is an CLIENT-matter (the client sends the file) - and the File-privilege is only affecting the ability to load files that are stored on the server (and not in the client). The problem discussed is in the way that PHP will allow for any user to upload an arbitary file form the local server (where php runs) to the MySQL-server.

IE: I set up a server running MySQL (or faking it, whatever) .. which just implements the receiver-part of the send_file_to_server-function in libmysql. This will allow me to transfer any file that the user PHP runs under on the server has access to, regardless of safe_mode, etc.

The keyword 'local' is probably the cause of confusion, since this causes the file to be loaded from the client - and not the server (where the File-privilege has effect).
 [2002-02-05 06:22 UTC] zak@php.net 
Humility is a dish best served lukewarm... I should have read more carefully. :)

While Rasmus has spoken on this issue, but I will take a closer look at it tomorrow.
 [2002-02-05 09:53 UTC] zak@php.net 
Verified that the exploit allows any file readable by the 
MySQL server to be viewed via this technique. Note that 
forbidding the MySQL user CREATE permission does make the 
exploit less convenient for the attacker.

The MySQL dev team is looking at ways to reduce this risk 
via MySQL permission behavior in the server.

Given Rasmus' feedback on the issue, I am closing this as 
a PHP bug. Hopefully, the MySQL dev team should be able 
eliminate or reduce this risk. If we can't completely 
resolve it, I will re-examine this bug.

--zak@[mysql|php].com
 [2002-02-05 09:53 UTC] zak@php.net 
Verified that the exploit allows any file readable by the 
MySQL server to be viewed via this technique. Note that 
forbidding the MySQL user CREATE permission does make the 
exploit less convenient for the attacker.

The MySQL dev team is looking at ways to reduce this risk 
via MySQL permission behavior in the server.

Given Rasmus' feedback on the issue, I am closing this as 
a PHP bug. Hopefully, the MySQL dev team should be able 
eliminate or reduce this risk. If we can't completely 
resolve it, I will re-examine this bug.

--zak@[mysql|php].com
 [2002-02-05 10:15 UTC] vitek at zoner dot com 
It works even if you are connecting to remote mysql server over tcp/ip, so I don't think this is only mysql related issue.
 [2002-02-05 12:24 UTC] matslin at orakel dot ntnu dot no 
I generally agree on Rasmus' feedback on the issue, so i'll leave it closed. However, since this naturally works with remote mysql-servers, setting up a server where you have the create-permission isnt really much of a hazzle.
 [2002-02-10 14:18 UTC] zak@php.net 
A fix for this behavior should appear within the next few 
releases of the MySQL 4.0.x series.

I will update this bug when the fix is implemented.
 [2002-09-19 23:14 UTC] zak@php.net 
I should re-examine this one as well.
 [2003-04-24 04:21 UTC] georg@php.net 
This problem is already closed. Bundled libmysql doesn't support local anymore.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu May 02 04:01:30 2024 UTC