PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability

PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability

The 'safemodexploit.php' example was submitted by Dave Wilson <dw@dahomelands.net>:

The script will (when configured correctly) attempt to read '/var/log/lastlog' via the SQL daemon and return it to the client.

$ cp safe_mode.php /www
$ wget -qO lastlog_via_mysql localhost/safe_mode.php
$ diff /var/log/lastlog lastlog_via_mysql; echo $?
0

/data/vulnerabilities/exploits/safemodexploit.php
/data/vulnerabilities/exploits/4026-mysql.php
/data/vulnerabilities/exploits/4026-mysqli.php