|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15408 Safe Mode / MySQL Vuln,
Submitted: 2002-02-06 16:03 UTC Modified: 2002-02-06 16:05 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: dw at dahomelands dot net Assigned:
Status: Not a bug Package: *Directory/Filesystem functions
PHP Version: 4.1.1 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: dw at dahomelands dot net
New email:
PHP Version: OS:


 [2002-02-06 16:03 UTC] dw at dahomelands dot net

                          Security Advisory DW020203-PHP
                            Release: 3rd February 2002

                  PHP Safe Mode Filesystem Circumvention Problem

  Severity:   Medium to high.
  Affects:    PHP, all versions which include safe_mode feature.
  Platform:   UNIX, Microsoft Windows, any platforms on which PHP is 
  Discovered: 12th January 2002, Dave Wilson <>, using
              PHP 4.1.0 & Apache 2 on Linux.



    PHP (since version 3?) includes a commonly used feature known as 
Safe Mode.
    When enabled, scripts are highly limited in their ability to access or
    execute local files, among other things.

    PHP relies on a wrapper function around all filesystem calls to perform
    access checks, but unforunately the bundled MySQL client library has not
    been modified to perform such checks on "LOAD DATA INFILE LOCAL" 

    If an attacker has access to a MySQL server (either provided by you or
    himself), he can use it as a proxy by which to download files 
residing on
    the safe_mode-enabled web server. For large ISPs relying on this feature
    for individual customer privacy, it could mean clients accessing each
    other's files, or viewing of files on an improperly secured server.


    Currently, no fix exists. You may use other PHP safe_mode functions to
    disable the use of the MySQL client library, or secure your servers in a
    proper fashion.. A suggested fix for the PHP developers might be to scan
    mysql_query()s for strings similar to "LOAD DATA LOCAL INFILE".

    Happy hackers out there might like to look at libmysql.c:1764 if 
    in fixing this problem, although that may only be possible from 
within PHP.


    The attached script will (once configured correctly) attempt to read
    "/var/log/lastlog" via the SQL daemon and return it to the client.

    $ cp safe_mode.php /www
    $ wget -qO lastlog_via_mysql localhost/safe_mode.php
    $ diff /var/log/lastlog lastlog_via_mysql; echo $?


    Due to the nature of the PHP project, development is very rapid and 
    many sites do not keep up with latest PHP versions. If a fix was 
    it would take quite a while to propagate.

    It is likely that this is not an isolated problem in PHP, my bets are on
    PostgreSQL and other PHP database extensions missing this one too.

    The MySQL support has been enabled in PHP by default for as long as 
I can


    Currently residing in Belfast, Northern Ireland, he is available for 
    relating to network security auditing, post-attack recovery and 
    and penetration testing. He may be contacted at <>. If
    you have any comments regarding this advisory, please contact him 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-02-06 16:05 UTC]
Duplicate (because it was already posted exactly like this, I made it bogus)
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jul 18 03:01:28 2024 UTC