Re: PHP Safe Mode Filesystem Circumvention Problem

From: Ben Wheeler (b.wheeler@ULCC.AC.UK)
Date: 02/05/02


Date:         Tue, 5 Feb 2002 09:33:13 +0000
From: Ben Wheeler <b.wheeler@ULCC.AC.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

On Sun, Feb 03, 2002 at 10:21:44PM +0000, Dave Wilson wrote:
> PHP relies on a wrapper function around all filesystem calls to perform
> access checks, but unforunately the bundled MySQL client library has not
> been modified to perform such checks on "LOAD DATA INFILE LOCAL" statements.
[...]
> If an attacker has access to a MySQL server (either provided by you or
> himself), he can use it as a proxy by which to download files

Surely this only works if the (MySQL) username which PHP uses to access
the database has been granted the 'file' privilege to that database in
MySQL's grant tables.

The MySQL manual makes it quite clear that the 'file' privilege should not
routinely be granted.

-- begin quote --

   * Don't give the *file* privilege to all users. Any user that has
     this privilege can write a file anywhere in the file system with
     the privileges of the `mysqld' daemon!
[...]
     The *file* privilege may also be used to read any file accessible
     to the Unix user that the server runs as. This could be abused,
     for example, by using `LOAD DATA' to load `/etc/passwd' into a
     table, which can then be read with `SELECT'.

-- end quote --

I think it's not up to PHP to spot things like this, it's up to the
MySQL administrators to set up their databases securely.

--
Ben Wheeler  <b.wheeler@ulcc.ac.uk>
ULCC, but I do not speak for them.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by Qualys - Make Your Network Secure oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY. FREE White Paper shows you how to ensure TOTAL security for your Internet perimeter with the most current and most complete PROACTIVE Vulnerability Assessment solution. Get your FREE White Paper now. Click here! https://www.qualys.com/forms/techwhite_86.html oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



Relevant Pages

  • Re: I am totally stumped..with this on..LOAD_FILE Mysql+PHP= FSCK!!
    ... What I am trying to do is to upload files and stuff them in a mysql database. ... I copied the temporary file to somewhere else, and then handed it to MySQL..THAT WORKED.. ... Is there a way to force a close on the file..maybe that's the problem Mysql is opening a file that is not flushed to disk maybe? ... I gew the feeling its maintaining its own picture of file objects, and doesn't actually flush to the disk unless you do a copy or close php.. ...
    (comp.lang.php)
  • Re: I am totally stumped..with this on..LOAD_FILE Mysql+PHP= FSCK!!
    ... What I am trying to do is to upload files and stuff them in a mysql database. ... I copied the temporary file to somewhere else, and then handed it to MySQL..THAT WORKED.. ... Is there a way to force a close on the file..maybe that's the problem Mysql is opening a file that is not flushed to disk maybe? ... I gew the feeling its maintaining its own picture of file objects, and doesn't actually flush to the disk unless you do a copy or close php.. ...
    (comp.lang.php)
  • Re: com_dotnet
    ... And if MySQL isn't installed, the DLL won't load and phpinfowill show MySQL support isn't enabled. ... The MySQL interface is NOT compiled into PHP on the distributed Windows binaries - or you'd never be able to run PHP unless you had MySQL installed. ... *SOME* extensions are protocols, some are functional resources, and some are just type libraries. ... If you're going to compile the extension into PHP itself, the libraries must be available at compile time, and when you run PHP, or PHP won't load. ...
    (comp.lang.php)
  • Re Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass
    ... > various mysql functions safemode & open_basedir bypass ... PHP is currently very used because it's easy to use. ... Apache has directory restrictions. ... # if the mysql user has perms, ...
    (Bugtraq)
  • Re: question about playlist
    ... I have a dynamic playlist, playlist_1.asx, created by a php script from a ... the mysql table contain information about: ... movie near to the playing movie, and when change the movie, contextually ... Change the information in the *database* table, or in the HTML table? ...
    (microsoft.public.windowsmedia.server)