php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15408 Safe Mode / MySQL Vuln,
Submitted: 2002-02-06 16:03 UTC Modified: 2002-02-06 16:05 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: dw at dahomelands dot net Assigned:
Status: Not a bug Package: *Directory/Filesystem functions
PHP Version: 4.1.1 OS: All
Private report: No CVE-ID: None
 [2002-02-06 16:03 UTC] dw at dahomelands dot net
------------------------------------------------------------------------------

                          Security Advisory DW020203-PHP
                            Release: 3rd February 2002

                  PHP Safe Mode Filesystem Circumvention Problem

  Severity:   Medium to high.
  Affects:    PHP, all versions which include safe_mode feature.
  Platform:   UNIX, Microsoft Windows, any platforms on which PHP is 
available.
  Vendor:     http://php.net.
  Discovered: 12th January 2002, Dave Wilson <dw@dahomelands.net>, using
              PHP 4.1.0 & Apache 2 on Linux.

 
------------------------------------------------------------------------------


VULNERABILITY IN BRIEF

    PHP (since version 3?) includes a commonly used feature known as 
Safe Mode.
    When enabled, scripts are highly limited in their ability to access or
    execute local files, among other things.

    PHP relies on a wrapper function around all filesystem calls to perform
    access checks, but unforunately the bundled MySQL client library has not
    been modified to perform such checks on "LOAD DATA INFILE LOCAL" 
statements.

    If an attacker has access to a MySQL server (either provided by you or
    himself), he can use it as a proxy by which to download files 
residing on
    the safe_mode-enabled web server. For large ISPs relying on this feature
    for individual customer privacy, it could mean clients accessing each
    other's files, or viewing of files on an improperly secured server.


FIX

    Currently, no fix exists. You may use other PHP safe_mode functions to
    disable the use of the MySQL client library, or secure your servers in a
    proper fashion.. A suggested fix for the PHP developers might be to scan
    mysql_query()s for strings similar to "LOAD DATA LOCAL INFILE".

    Happy hackers out there might like to look at libmysql.c:1764 if 
interested
    in fixing this problem, although that may only be possible from 
within PHP.


EXAMPLE

    The attached script will (once configured correctly) attempt to read
    "/var/log/lastlog" via the SQL daemon and return it to the client.

    $ cp safe_mode.php /www
    $ wget -qO lastlog_via_mysql localhost/safe_mode.php
    $ diff /var/log/lastlog lastlog_via_mysql; echo $?
    0


COMMENTS

    Due to the nature of the PHP project, development is very rapid and 
hence
    many sites do not keep up with latest PHP versions. If a fix was 
available,
    it would take quite a while to propagate.

    It is likely that this is not an isolated problem in PHP, my bets are on
    PostgreSQL and other PHP database extensions missing this one too.

    The MySQL support has been enabled in PHP by default for as long as 
I can
    remember.

DAVE WILSON

    Currently residing in Belfast, Northern Ireland, he is available for 
work
    relating to network security auditing, post-attack recovery and 
forensics,
    and penetration testing. He may be contacted at <dw@dahomelands.net>. If
    you have any comments regarding this advisory, please contact him 
directly.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-02-06 16:05 UTC] derick@php.net
Duplicate (because it was already posted exactly like this, I made it bogus)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 06 08:01:26 2024 UTC