Home » Hacking News » PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability
PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability
by Nikola Strahija on February 6th, 2002 The safe_mode feature in PHP may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that have been restricted when PHP safe_mode was enabled.
In particular, the MySQL client library that ships with PHP does not properly honor safe_mode. As a result, it is possible to use a LOAD DATA statement to read files that exist in restricted areas of the filesystem (as determined by PHP safe_mode).
Exploit:
The attached script(link) will (once configured correctly) attempt to read
"/var/log/lastlog" via the SQL daemon and return it to the client.
$ cp safe_mode.php /www
$ wget -qO lastlog_via_mysql localhost/safe_mode.php
$ diff /var/log/lastlog lastlog_via_mysql; echo $?
0
http://downloads.securityfocus.com/vulnerabilities/exploits/safemodexploit.php
