#28632 [Opn]: LOAD DATA LOCAL security hole problem is stil not solved

Fri, 04 Jun 2004 07:38:22 -0700 

 ID:               28632
 User updated by:  unknown at masterhost dot ru
 Reported By:      unknown at masterhost dot ru
 Status:           Open
 Bug Type:         MySQL related
-Operating System: any
+Operating System: FreeBSD
-PHP Version:      4.3.7
+PHP Version:      4.3.5RC2?-4.3.7
 New Comment:

The problem presents with older versions too. I have checked it with
4.3.5RC2 and 4.3.7 on FreeBSD 4.9, but it seems other versions after
May 2003 are vulnerable, and it's OS-independent.


Previous Comments:
------------------------------------------------------------------------

[2004-06-04 16:22:25] unknown at masterhost dot ru

Description:
------------
 
 The file accesses with 'LOAD DATA LOCAL INFILE' are made by mysql
client library, so you can access any file which webserver process can
access to, IGNORING open_basedir option!
 
 This problem has been reported about year ago (Bug #23779 LOAD DATA
LOCAL isn't respecting open_basedir), and you tried to resolve it:
 

http://cvs.php.net/diff.php/php-src/ext/mysql/php_mysql.c?r1=1.174.2.13&r2=1.174.2.14&ty=h
 
  /* disable local infile option for open_basedir */ 
  if (strlen(PG(open_basedir))) { 
      client_flags ^= CLIENT_LOCAL_FILES; 
  } 

  You have used XOR, so if user specified options '128' as fifth
parameter for mysql_connect() with enabled open_basedir restrictions,
it should disable LOAD DATA LOCAL. But with '0' options given it
enables LOAD DATA LOCAL, so we have it enabled by default!

  It seems it should be not just a XOR, may be 
    client_flags &= (32767^CLIENT_LOCAL_FILES); 
  or something like this.
 

Reproduce code:
---------------
<?php

$link = mysql_connect('host', 'user', 'password', false, 0);
$db_selected = mysql_select_db('database', $link);

$result = mysql_query("LOAD DATA LOCAL INFILE 'datafile.txt' INTO TABLE
test");
if (!$result) {
   die('Invalid query: ' . mysql_error());
}

mysql_close($link);

?>


Expected result:
----------------
There shoule be an error:

Invalid query: The used command is not allowed with this MySQL version

But there isn't, query is successful... 

Actual result:
--------------
Data from file is inserted to 'test' table.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=28632&edit=1

Reply via email to