php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #28632 LOAD DATA LOCAL security hole problem is stil not solved
Submitted: 2004-06-04 16:22 UTC Modified: 2004-06-04 17:27 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: unknown at masterhost dot ru Assigned:
Status: Closed Package: MySQL related
PHP Version: 4.3.5RC2?-4.3.7 OS: FreeBSD
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2004-06-04 16:22 UTC] unknown at masterhost dot ru 
Description:
------------
 
 The file accesses with 'LOAD DATA LOCAL INFILE' are made by mysql client library, so you can access any file which webserver process can access to, IGNORING open_basedir option!
 
 This problem has been reported about year ago (Bug #23779 LOAD DATA LOCAL isn't respecting open_basedir), and you tried to resolve it:
 
 http://cvs.php.net/diff.php/php-src/ext/mysql/php_mysql.c?r1=1.174.2.13&r2=1.174.2.14&ty=h
 
  /* disable local infile option for open_basedir */ 
  if (strlen(PG(open_basedir))) { 
      client_flags ^= CLIENT_LOCAL_FILES; 
  } 

  You have used XOR, so if user specified options '128' as fifth parameter for mysql_connect() with enabled open_basedir restrictions, it should disable LOAD DATA LOCAL. But with '0' options given it enables LOAD DATA LOCAL, so we have it enabled by default!

  It seems it should be not just a XOR, may be 
    client_flags &= (32767^CLIENT_LOCAL_FILES); 
  or something like this.
 

Reproduce code:
---------------
<?php

$link = mysql_connect('host', 'user', 'password', false, 0);
$db_selected = mysql_select_db('database', $link);

$result = mysql_query("LOAD DATA LOCAL INFILE 'datafile.txt' INTO TABLE test");
if (!$result) {
   die('Invalid query: ' . mysql_error());
}

mysql_close($link);

?>


Expected result:
----------------
There shoule be an error:

Invalid query: The used command is not allowed with this MySQL version

But there isn't, query is successful... 

Actual result:
--------------
Data from file is inserted to 'test' table.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-04 16:37 UTC] unknown at masterhost dot ru 
The problem presents with older versions too. I have checked it with 4.3.5RC2 and 4.3.7 on FreeBSD 4.9, but it seems other versions after May 2003 are vulnerable, and it's OS-independent.
 [2004-06-04 17:27 UTC] iliaa@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2022-03-12 16:57 UTC] dralpha400 at gmail dot com 
I have the same bug in almaheron.com
 [2022-08-08 09:53 UTC] iamsteveherrington at gmail dot com 
A huge thumbs up for your Great information that you have shared with us! Are you feeling hassle as you are not capable to precisely finish off your economics academic jobs? Well, you are not alone, as the tasks related to economics are too complex to understand. You need not to be anxious! If you want your academic work unique then avail complete Economics Homework Help guide and get the chance to outshine from the mass..!!

https://www.tutorsglobe.com/homework-help/economics-assignment-help-776.aspx)github.com
 [2022-09-28 04:12 UTC] ministerhawk at gmail dot com 
Very good Post, my problem is really resolved. 

(https://sites.google.com/view/hpprintersoffline)github.com
(https://sites.google.com/view/how-factory-reset-hp-printers)github.com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 01:01:28 2024 UTC