Hosting Provided By

Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass

From: Ronald Chmara <ron(at)Opus1.COM>
Date: Wed Sep 12 2007 - 01:59:36 EDT

Two years ago, I wrote a semi similar post to this one, but, well, I'm old and tired of seeing this now. Time for folks to upgrade.

On Sep 10, 2007, at 9:38 PM, laurent.gaffie@gmail.com wrote:

> Application: PHP <=5.2.4
> Web Site: http://php.net
> Platform: unix
> Bug: safemode & open_basedir bypass
> ======
> 2) Bug
> ======
> various mysql functions safemode & open_basedir bypass
> ( LOAD_FILE , INTO DUMPFILE , INTO OUTFILE )
Not a PHP *bug*, so much as yet another reason why "safe mode" and "open_basedir" are fundamentally wrong ideas (and are being terminated, with prejudice, in future PHP development). Users (and hosting companies) are unedumacated on how the whole concepts of permissions work, turn on something they think is "safe", and are surprised by the results.

> <?php
> mysql_connect("localhost", "granted_user","something");
> mysql_query("select load_file(0x2F6574632F706173737764)into
> dumpfile'/test/123.txt';");
> ?>

In this case:
PHP has basedir restrictions.
Apache has directory restrictions.
....But, well, mysql?

What restrictions have you placed upon it, per user, and filesystem?

Apparently, it's allowed to write to /test/, *and* the user perms used to talk to mysql seem horribly broad, since it can get user perms. So, since any Apache/PHP/mysql user on a shared host (or whatever) in the above scenario can write to whatever they want from mysql to /test/, it's fair game.

You see, any PHP library used, be it mysql, odbc, *whatever*, that can be given arguments, *and does not filter* those arguments *in the library*, based on per-apache-instance-per-user restrictions, can be used to cross boundaries, escalate boundaries, etc.

Do you need help?

Since on a shared host, it's often the case that 20. or 50, or whatever many users have permissions (though apache and mysql) to write to any directories that apache and mysql have write permissions to, yes, PHP can *try* to clean up the activities involves, but it's a fools errand.

mysql_query("select load_file (foo) into dumpfile'/ massive_directory_pool/user_i_hate/index.html;"); # if the mysql user has perms, Game over. PHP/apache isn't even relevant anymore, if *mysql*
# has perms to write to the user's directory

So, for mental exercise: A GD library creating an "image" in another directory, because apache and PHP trust GD? How about a PDF file? A blog backup file?

You see, the problem *isn't* PHP, it's underlying libraries inheriting perms, and using perms, that are not appropriate for the purpose of isolating users.

The fix?

Give each user their own apache, their own mysql, their own chroot'ed box (or vm/xen image..).

Since that's not gonna happen anytime soon for resellers who over- subscribed their hardware, the current solution seems to be "point and giggle".

-Ronabop Received on Wed Sep 12 12:22:58 2007

Do you need more help?

This message: [ Message body ]
Next message: Ben Wheeler: "Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass"
Previous message: Integrigy Alerts: "Oracle Jinitiator 1.1.8 Vulnerabilities CVE-2007-4467 - Additional Information"
In reply to: laurent.gaffie(at)gmail.com: "PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass"
Next in thread: Ben Wheeler: "Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:15:21 EDT