robbat2@orbis-terrarum.net wrote:
In this case, evil user is a malicuos user that has access to a database or table already, and wants to root the system. evil user adds a tranform that reads a piece of data from the server as a root user, somewhere else on the file system, say /tmp (using the docSQL bug). the fix can conform to your naming requirements or not. Now evil user makes his own table, and puts in a value of '/etc/shadow' or any file he wants. he then gets the exact transform he wants to run on the '/etc/shadow' string. He's now got your entire /etc/shadow file, with your passwords or worse.
Robin,
I don't understand your point. I think that, for this to work, the web server would have to run under a privileged user (a thing definitely not recommended) and/or PHP would not be set in safe mode. And if PHP is not in safe mode, it's a lot easier than you describe to read in some protected files.
Marc