Re: PHP Safe Mode Filesystem Circumvention Problem

From: Ben Wheeler (b.wheeler@ULCC.AC.UK)
Date: 02/05/02

Date:         Tue, 5 Feb 2002 09:33:13 +0000
From: Ben Wheeler <b.wheeler@ULCC.AC.UK>

On Sun, Feb 03, 2002 at 10:21:44PM +0000, Dave Wilson wrote:
> PHP relies on a wrapper function around all filesystem calls to perform
> access checks, but unforunately the bundled MySQL client library has not
> been modified to perform such checks on "LOAD DATA INFILE LOCAL" statements.
> If an attacker has access to a MySQL server (either provided by you or
> himself), he can use it as a proxy by which to download files

Surely this only works if the (MySQL) username which PHP uses to access
the database has been granted the 'file' privilege to that database in
MySQL's grant tables.

The MySQL manual makes it quite clear that the 'file' privilege should not
routinely be granted.

-- begin quote --

   * Don't give the *file* privilege to all users. Any user that has
     this privilege can write a file anywhere in the file system with
     the privileges of the `mysqld' daemon!
     The *file* privilege may also be used to read any file accessible
     to the Unix user that the server runs as. This could be abused,
     for example, by using `LOAD DATA' to load `/etc/passwd' into a
     table, which can then be read with `SELECT'.

-- end quote --

I think it's not up to PHP to spot things like this, it's up to the
MySQL administrators to set up their databases securely.

Ben Wheeler  <>
ULCC, but I do not speak for them.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by Qualys - Make Your Network Secure oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY. FREE White Paper shows you how to ensure TOTAL security for your Internet perimeter with the most current and most complete PROACTIVE Vulnerability Assessment solution. Get your FREE White Paper now. Click here! oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo