Re: PHP Safe Mode Filesystem Circumvention ProblemFrom: Ben Wheeler (b.wheeler@ULCC.AC.UK)
- Previous message: Davis, Matt: "ISAPI Priority issue with IIS 5.0"
- In reply to: Dave Wilson: "PHP Safe Mode Filesystem Circumvention Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 5 Feb 2002 09:33:13 +0000 From: Ben Wheeler <b.wheeler@ULCC.AC.UK> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
On Sun, Feb 03, 2002 at 10:21:44PM +0000, Dave Wilson wrote:
> PHP relies on a wrapper function around all filesystem calls to perform
> access checks, but unforunately the bundled MySQL client library has not
> been modified to perform such checks on "LOAD DATA INFILE LOCAL" statements.
> If an attacker has access to a MySQL server (either provided by you or
> himself), he can use it as a proxy by which to download files
Surely this only works if the (MySQL) username which PHP uses to access
the database has been granted the 'file' privilege to that database in
MySQL's grant tables.
The MySQL manual makes it quite clear that the 'file' privilege should not
routinely be granted.
-- begin quote --
* Don't give the *file* privilege to all users. Any user that has
this privilege can write a file anywhere in the file system with
the privileges of the `mysqld' daemon!
The *file* privilege may also be used to read any file accessible
to the Unix user that the server runs as. This could be abused,
for example, by using `LOAD DATA' to load `/etc/passwd' into a
table, which can then be read with `SELECT'.
-- end quote --
I think it's not up to PHP to spot things like this, it's up to the
MySQL administrators to set up their databases securely.
-- Ben Wheeler <email@example.com> ULCC, but I do not speak for them.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by Qualys - Make Your Network Secure oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY. FREE White Paper shows you how to ensure TOTAL security for your Internet perimeter with the most current and most complete PROACTIVE Vulnerability Assessment solution. Get your FREE White Paper now. Click here! https://www.qualys.com/forms/techwhite_86.html oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo