Hi Marc, everyone else,
I had to think about it a while, but came to the same conclusion: - Don't use CLIENT_LOCAL_FILES in your scripts unless you trust the MySQL server. - As to phpMyAdmin: Always enable CLIENT_LOCAL_FILES, as it makes no difference. Never connect to MySQL servers you don't trust ;). - In multihosting environments not suEXEC'ing or chroot'ing PHP to separate customers, always use open_basedir to disable LOAD DATA LOCAL completely.
The following more detailed explanation is off-topic, but I'll include it as it might be interesting for others, and maybe anyone has ideas or solutions I did not see?
1. Anyone with the ability to run PHP scripts on your server could set up an external MySQL server and transfer any file he can read (when running PHP scripts) to that server. Unless you're running PHP with suEXEC (or maybe chrooted) that's the user the web server runs as, so he'll probably have read access to all virtual hosts.
Countermeasures: - safe_mode DOES NOT help here! - I don't see how you could block access to "external" MySQL servers? - Using sql.safe_mode to block scripts from accessing "external" servers. However, sql.safe_mode has strong limitations that might prevent you from using it (basically, connections to "localhost" only and using the username of the UID you're running the script as?). - The only possible solution is to use open_basedir to disable LOAD DATA LOCAL altogether [for virtual hosts you don't trust], but that might break your scripts!
2. Disabling infile-local in the server only prevents your server from being used as the server part of such an attack; however, as long as you cannot block access to any other server, the "client side" problem still remains. I don't consider the "server side" that much of a problem at all.
3. As to "patched" servers - don't set the CLIENT_LOCAL_FILES flag unless you trust the server, otherwise he might transfer other files than you might expect. If you run PHP suEXEC'd or chrooted, the impact can be limited, but the problem remains as long as LOAD DATA LOCAL is enabled.
Best regards, Matthias
-----Ursprüngliche Nachricht----- Von: Marc Delisle [mailto:DelislMa@CollegeSherbrooke.qc.ca] Gesendet: Montag, 20. September 2004 13:26 An: Matthias Pigulla Cc: phpmyadmin-devel@lists.sourceforge.net Betreff: Re: [Phpmyadmin-devel] [Patch] Allow for "LOAD DATA INFILE" when using the PHP-bundled mysql client
I intend to test your patch. However, I suggest to not add a new config parameter to config.inc.php but always pass the 128 flag. Here is why.
Reading about the security issues http://dev.mysql.com/doc/mysql/en/LOAD_DATA_LOCAL.html
The first issue is not really an issue, IMO. Usually, ISPs do not let their Web server access an external MySQL server (which would have been "patched").
The second issue: well, if the ISP is concerned with this, he just has to disable the LOCAL feature into the server. And if the feature is enabled, any Web developer can code his application to use it, regardless of the setting in a "central" phpMyAdmin. Not mentionning that the user can install his own copy of phpMyAdmin and enable the feature.