ID:               15375
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
-Status:           Open
+Status:           Bogus
 Bug Type:         MySQL related
 Operating System: All
 PHP Version:      4.1.1
 New Comment:

Thank you for your report!

The BugTraq advisory is spurious. Issues of this nature 
can be avoided by revoking the FILE permission of the 
database user.

Review:
http://www.mysql.com/doc/M/y/MySQL_Database_Administration.html
http://www.mysql.com/doc/P/r/Privilege_system.html




Previous Comments:
------------------------------------------------------------------------

[2002-02-04 21:33:31] [EMAIL PROTECTED]

it occured to me (while brushing my teeth in fact :)) that this may be
something that has to be patched in the query-parser instead, since the
solution i'm talking about will break if the user decide to build from
a custom libmysql-installation.

------------------------------------------------------------------------

[2002-02-04 21:10:42] [EMAIL PROTECTED]

A message was posted at bugtraq earlier about a problem with safe_mode
and the mysql-library used. the message is available here:

http://www.orakel.ntnu.no/~matslin/php4_safe_mode.txt

I searched the bugdb, but the bug doesnt not seem to be reported. As
the author says in the mail, this may be a problem with other
extensions as well.

As far as i can see, this could probably be fixed in the
send_file_to_server-function in libmysql.c, more specific somewhere
around line 1776 (there is also some mention about this in the mail).

The 'bug' makes it possible to read all files readable for php, even if
its running in safe mode, basedir-restrictions etc. More info in the
mail.

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=15375&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to