ID: 15375 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Closed Bug Type: MySQL related Operating System: All PHP Version: 4.1.1 Assigned To: zak New Comment:
Verified that the exploit allows any file readable by the MySQL server to be viewed via this technique. Note that forbidding the MySQL user CREATE permission does make the exploit less convenient for the attacker. The MySQL dev team is looking at ways to reduce this risk via MySQL permission behavior in the server. Given Rasmus' feedback on the issue, I am closing this as a PHP bug. Hopefully, the MySQL dev team should be able eliminate or reduce this risk. If we can't completely resolve it, I will re-examine this bug. --zak@[mysql|php].com Previous Comments: ------------------------------------------------------------------------ [2002-02-05 09:53:11] [EMAIL PROTECTED] Verified that the exploit allows any file readable by the MySQL server to be viewed via this technique. Note that forbidding the MySQL user CREATE permission does make the exploit less convenient for the attacker. The MySQL dev team is looking at ways to reduce this risk via MySQL permission behavior in the server. Given Rasmus' feedback on the issue, I am closing this as a PHP bug. Hopefully, the MySQL dev team should be able eliminate or reduce this risk. If we can't completely resolve it, I will re-examine this bug. --zak@[mysql|php].com ------------------------------------------------------------------------ [2002-02-05 06:22:51] [EMAIL PROTECTED] Humility is a dish best served lukewarm... I should have read more carefully. :) While Rasmus has spoken on this issue, but I will take a closer look at it tomorrow. ------------------------------------------------------------------------ [2002-02-05 06:08:01] [EMAIL PROTECTED] while that would be a obvious solution, this is an CLIENT-matter (the client sends the file) - and the File-privilege is only affecting the ability to load files that are stored on the server (and not in the client). The problem discussed is in the way that PHP will allow for any user to upload an arbitary file form the local server (where php runs) to the MySQL-server. IE: I set up a server running MySQL (or faking it, whatever) .. which just implements the receiver-part of the send_file_to_server-function in libmysql. This will allow me to transfer any file that the user PHP runs under on the server has access to, regardless of safe_mode, etc. The keyword 'local' is probably the cause of confusion, since this causes the file to be loaded from the client - and not the server (where the File-privilege has effect). ------------------------------------------------------------------------ [2002-02-05 01:32:49] [EMAIL PROTECTED] Thank you for your report! The BugTraq advisory is spurious. Issues of this nature can be avoided by revoking the FILE permission of the database user. Review: http://www.mysql.com/doc/M/y/MySQL_Database_Administration.html http://www.mysql.com/doc/P/r/Privilege_system.html ------------------------------------------------------------------------ [2002-02-04 21:33:31] [EMAIL PROTECTED] it occured to me (while brushing my teeth in fact :)) that this may be something that has to be patched in the query-parser instead, since the solution i'm talking about will break if the user decide to build from a custom libmysql-installation. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/15375 -- Edit this bug report at http://bugs.php.net/?id=15375&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
