ID: 15375
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Closed
Bug Type: MySQL related
Operating System: All
PHP Version: 4.1.1
Assigned To: zak
New Comment:
I generally agree on Rasmus' feedback on the issue, so i'll leave it
closed. However, since this naturally works with remote mysql-servers,
setting up a server where you have the create-permission isnt really
much of a hazzle.
Previous Comments:
------------------------------------------------------------------------
[2002-02-05 10:15:39] [EMAIL PROTECTED]
It works even if you are connecting to remote mysql server over tcp/ip,
so I don't think this is only mysql related issue.
------------------------------------------------------------------------
[2002-02-05 09:53:36] [EMAIL PROTECTED]
Verified that the exploit allows any file readable by the
MySQL server to be viewed via this technique. Note that
forbidding the MySQL user CREATE permission does make the
exploit less convenient for the attacker.
The MySQL dev team is looking at ways to reduce this risk
via MySQL permission behavior in the server.
Given Rasmus' feedback on the issue, I am closing this as
a PHP bug. Hopefully, the MySQL dev team should be able
eliminate or reduce this risk. If we can't completely
resolve it, I will re-examine this bug.
--zak@[mysql|php].com
------------------------------------------------------------------------
[2002-02-05 09:53:11] [EMAIL PROTECTED]
Verified that the exploit allows any file readable by the
MySQL server to be viewed via this technique. Note that
forbidding the MySQL user CREATE permission does make the
exploit less convenient for the attacker.
The MySQL dev team is looking at ways to reduce this risk
via MySQL permission behavior in the server.
Given Rasmus' feedback on the issue, I am closing this as
a PHP bug. Hopefully, the MySQL dev team should be able
eliminate or reduce this risk. If we can't completely
resolve it, I will re-examine this bug.
--zak@[mysql|php].com
------------------------------------------------------------------------
[2002-02-05 06:22:51] [EMAIL PROTECTED]
Humility is a dish best served lukewarm... I should have read more
carefully. :)
While Rasmus has spoken on this issue, but I will take a closer look at
it tomorrow.
------------------------------------------------------------------------
[2002-02-05 06:08:01] [EMAIL PROTECTED]
while that would be a obvious solution, this is an CLIENT-matter (the
client sends the file) - and the File-privilege is only affecting the
ability to load files that are stored on the server (and not in the
client). The problem discussed is in the way that PHP will allow for
any user to upload an arbitary file form the local server (where php
runs) to the MySQL-server.
IE: I set up a server running MySQL (or faking it, whatever) .. which
just implements the receiver-part of the send_file_to_server-function
in libmysql. This will allow me to transfer any file that the user PHP
runs under on the server has access to, regardless of safe_mode, etc.
The keyword 'local' is probably the cause of confusion, since this
causes the file to be loaded from the client - and not the server
(where the File-privilege has effect).
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/15375
--
Edit this bug report at http://bugs.php.net/?id=15375&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
