Re: PHP Safe Mode Filesystem Circumvention Problem

From: Ben Wheeler (b.wheeler@ULCC.AC.UK)
Date: 02/05/02 

Date:         Tue, 5 Feb 2002 09:33:13 +0000
From: Ben Wheeler <b.wheeler@ULCC.AC.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

On Sun, Feb 03, 2002 at 10:21:44PM +0000, Dave Wilson wrote:
> PHP relies on a wrapper function around all filesystem calls to perform
> access checks, but unforunately the bundled MySQL client library has not
> been modified to perform such checks on "LOAD DATA INFILE LOCAL" statements.
[...]
> If an attacker has access to a MySQL server (either provided by you or
> himself), he can use it as a proxy by which to download files

Surely this only works if the (MySQL) username which PHP uses to access
the database has been granted the 'file' privilege to that database in
MySQL's grant tables.

The MySQL manual makes it quite clear that the 'file' privilege should not
routinely be granted.

-- begin quote --

   * Don't give the *file* privilege to all users. Any user that has
     this privilege can write a file anywhere in the file system with
     the privileges of the `mysqld' daemon!
[...]
     The *file* privilege may also be used to read any file accessible
     to the Unix user that the server runs as. This could be abused,
     for example, by using `LOAD DATA' to load `/etc/passwd' into a
     table, which can then be read with `SELECT'.

-- end quote --

I think it's not up to PHP to spot things like this, it's up to the
MySQL administrators to set up their databases securely. 

--
Ben Wheeler  <b.wheeler@ulcc.ac.uk>
ULCC, but I do not speak for them.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Relevant Pages

  • Re: I am totally stumped..with this on..LOAD_FILE Mysql+PHP= FSCK!!
    ... What I am trying to do is to upload files and stuff them in a mysql database. ... I copied the temporary file to somewhere else, and then handed it to MySQL..THAT WORKED.. ... Is there a way to force a close on the file..maybe that's the problem Mysql is opening a file that is not flushed to disk maybe? ... I gew the feeling its maintaining its own picture of file objects, and doesn't actually flush to the disk unless you do a copy or close php.. ...
    (comp.lang.php)
  • Re: I am totally stumped..with this on..LOAD_FILE Mysql+PHP= FSCK!!
    ... What I am trying to do is to upload files and stuff them in a mysql database. ... I copied the temporary file to somewhere else, and then handed it to MySQL..THAT WORKED.. ... Is there a way to force a close on the file..maybe that's the problem Mysql is opening a file that is not flushed to disk maybe? ... I gew the feeling its maintaining its own picture of file objects, and doesn't actually flush to the disk unless you do a copy or close php.. ...
    (comp.lang.php)
  • Re: com_dotnet
    ... And if MySQL isn't installed, the DLL won't load and phpinfowill show MySQL support isn't enabled. ... The MySQL interface is NOT compiled into PHP on the distributed Windows binaries - or you'd never be able to run PHP unless you had MySQL installed. ... *SOME* extensions are protocols, some are functional resources, and some are just type libraries. ... If you're going to compile the extension into PHP itself, the libraries must be available at compile time, and when you run PHP, or PHP won't load. ...
    (comp.lang.php)
  • Re Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass
    ... > various mysql functions safemode & open_basedir bypass ... PHP is currently very used because it's easy to use. ... Apache has directory restrictions. ... # if the mysql user has perms, ...
    (Bugtraq)
  • Re: [PHP] Select record by ID
    ... But I dont want to be a php copy/paste newb who has no clue ... Bad Guys know that you are probably using that user_id in an SQL ... The mysql_real_escape_string() part is a function provided by MySQL ... mysql_real_escape_stringtakes the 'Kevin O'Brien' and converts it ...
    (php.general)