Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability

PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability

by Nikola Strahija on February 6th, 2002 The safe_mode feature in PHP may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that have been restricted when PHP safe_mode was enabled.


In particular, the MySQL client library that ships with PHP does not properly honor safe_mode. As a result, it is possible to use a LOAD DATA statement to read files that exist in restricted areas of the filesystem (as determined by PHP safe_mode).

Exploit:

The attached script(link) will (once configured correctly) attempt to read
"/var/log/lastlog" via the SQL daemon and return it to the client.

$ cp safe_mode.php /www
$ wget -qO lastlog_via_mysql localhost/safe_mode.php
$ diff /var/log/lastlog lastlog_via_mysql; echo $?
0

http://downloads.securityfocus.com/vulnerabilities/exploits/safemodexploit.php


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »