Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass

To: laurent.gaffie@xxxxxxxxx
Subject: Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass
From: Ronald Chmara <ron@xxxxxxxxx>
Date: Tue, 11 Sep 2007 22:59:36 -0700
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20070911043847.14833.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070911043847.14833.qmail@xxxxxxxxxxxxxxxxx>

Two years ago, I wrote a semi similar post to this one, but, well,I'm old and tired of seeing this now. Time for folks to upgrade.


On Sep 10, 2007, at 9:38 PM, laurent.gaffie@xxxxxxxxx wrote:

Application: PHP <=5.2.4
Web Site: http://php.net
Platform: unix
Bug: safemode & open_basedir bypass
======
2) Bug
======
various mysql functions safemode & open_basedir bypass
( LOAD_FILE , INTO DUMPFILE , INTO OUTFILE )

Not a PHP *bug*, so much as yet another reason why "safe mode" and"open_basedir" are fundamentally wrong ideas (and are beingterminated, with prejudice, in future PHP development). Users (andhosting companies) are unedumacated on how the whole concepts ofpermissions work, turn on something they think is "safe", and aresurprised by the results.

<?php
mysql_connect("localhost", "granted_user","something");
mysql_query("select load_file(0x2F6574632F706173737764)intodumpfile'/test/123.txt';");
?>


In this case:
PHP has basedir restrictions.
Apache has directory restrictions.
....But, well, mysql?

What restrictions have you placed upon it, per user, and filesystem?

Apparently, it's allowed to write to /test/, *and* the user permsused to talk to mysql seem horribly broad, since it can get userperms. So, since any Apache/PHP/mysql user on a shared host (orwhatever) in the above scenario can write to whatever they want frommysql to /test/, it's fair game.

You see, any PHP library used, be it mysql, odbc, *whatever*, thatcan be given arguments, *and does not filter* those arguments *in thelibrary*, based on per-apache-instance-per-user restrictions, can beused to cross boundaries, escalate boundaries, etc.

Since on a shared host, it's often the case that 20. or 50, orwhatever many users have permissions (though apache and mysql) towrite to any directories that apache and mysql have write permissionsto, yes, PHP can *try* to clean up the activities involves, but it'sa fools errand.

mysql_query("select load_file (foo) into dumpfile'/massive_directory_pool/user_i_hate/index.html;");# if the mysql user has perms, Game over. PHP/apache isn't evenrelevant anymore, if *mysql*

# has perms to write to the user's directory

So, for mental exercise: A GD library creating an "image" in anotherdirectory, because apache and PHP trust GD? How about a PDF file? Ablog backup file?

You see, the problem *isn't* PHP, it's underlying librariesinheriting perms, and using perms, that are not appropriate for thepurpose of isolating users.


The fix?

Give each user their own apache, their own mysql, their own chroot'edbox (or vm/xen image..).

Since that's not gonna happen anytime soon for resellers who over-subscribed their hardware, the current solution seems to be "pointand giggle".


-Ronabop

References:
- PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass
  - From: laurent . gaffie

Prev by Date: Oracle Jinitiator 1.1.8 Vulnerabilities CVE-2007-4467 - Additional Information
Next by Date: Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass
Previous by thread: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass
Next by thread: Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass
Index(es):
- Date
- Thread