The PHP developers are aware of this, and are working with MySQL to make it
safer.
it should be noted that PHP safe mode, whilst making the environment
generally safer, is not an easy-answer to webserver security. The only real
solution is to learn about better security and configuration.
--james
--
James Cox :: [EMAIL PROTECTED]
Was I helpful? http://www.amazon.co.uk/exec/obidos/wishlist/23IVGHQ61RJGO/
> -Original Message-
> From: Gerard Onorato [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 05, 2002 4:00 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] PHP / MYSQL security bug
>
>
> Maybe I missed the thread but I was wondering if anyone has seen this
> report or done any testing on it.
>
> We tested it and it seems a pretty valid problem. Can anyone comment on a
> fix that may be in the works?
>
> Gerard
>
> --
> ---
> Security Advisory DW020203-PHP
> Release: 3rd February 2002
> PHP Safe Mode Filesystem Circumvention Problem
> Severity: Medium to high.
> Affects: PHP, all versions which include safe_mode feature.
> Platform: UNIX, Microsoft Windows, any platforms on which PHP is
> available.
> Vendor: http://php.net.
> Discovered: 12th January 2002, Dave Wilson <[EMAIL PROTECTED]>, using
> PHP 4.1.0 & Apache 2 on Linux.
>
> --
>
>
> VULNERABILITY IN BRIEF
> PHP (since version 3?) includes a commonly used feature known as
> Safe Mode.
> When enabled, scripts are highly limited in their ability to access or
> execute local files, among other things.
> PHP relies on a wrapper function around all filesystem calls to perform
> access checks, but unforunately the bundled MySQL client library has not
> been modified to perform such checks on "LOAD DATA INFILE LOCAL"
> statements.
> If an attacker has access to a MySQL server (either provided by you or
> himself), he can use it as a proxy by which to download files residing on
> the safe_mode-enabled web server. For large ISPs relying on this feature
> for individual customer privacy, it could mean clients accessing each
> other's files, or viewing of files on an improperly secured server.
>
> FIX
> Currently, no fix exists. You may use other PHP safe_mode functions to
> disable the use of the MySQL client library, or secure your servers in a
> proper fashion.. A suggested fix for the PHP developers might be to scan
> mysql_query()s for strings similar to "LOAD DATA LOCAL INFILE".
> Happy hackers out there might like to look at libmysql.c:1764 if
> interested
> in fixing this problem, although that may only be possible from
> within PHP.
>
> EXAMPLE
> The attached script will (once configured correctly) attempt to read
> "/var/log/lastlog" via the SQL daemon and return it to the client.
> $ cp safe_mode.php /www
> $ wget -qO lastlog_via_mysql localhost/safe_mode.php
> $ diff /var/log/lastlog lastlog_via_mysql; echo $?
> 0
>
> COMMENTS
> Due to the nature of the PHP project, development is very rapid and hence
> many sites do not keep up with latest PHP versions. If a fix was
> available,
> it would take quite a while to propagate.
> It is likely that this is not an isolated problem in PHP, my bets are on
> PostgreSQL and other PHP database extensions missing this one too.
> The MySQL support has been enabled in PHP by default for as long as I can
> remember.
>
> DAVE WILSON
> Currently residing in Belfast, Northern Ireland, he is available for work
> relating to network security auditing, post-attack recovery and forensics,
> and penetration testing. He may be contacted at <[EMAIL PROTECTED]>. If
> you have any comments regarding this advisory, please contact him
> directly.
>
> Sun Feb 3 21:23:03 GMT 2002 -dw
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
