MySQLDumper vulnerability: Bypassing Apache based access control possible

2007.07.07
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

A critical security issue has been found in the Open Source PHP backup tool MySQLDumper [0]. The issue allows to bypass an Apache based access control created with MySQLDumper. Through this an attacker can easily gain full control about all features of MySQLDumper. The authors of MySQLDumper were informed about the problem on June 12, 2007 via email. In a reply we received on June 24, 2007, one author stated that he does not agree that there is a security issue. Because we don't have the impression that the authors are going to fix this issue and inform the public about the hole, we decided to publish this issue. The issue was found by Henning Pingel and Lars Houmark. ==== About MySQLDumper ==== The main purpose of MySQLDumper is to create full backups of large MySQL databases from a web interface without the need for a shell access. It also allows to administrate MySQL databases. To ensure that only authenticated users have access to an instance of MySQLDumper the tool offers a built-in feature to create a pair of .htaccess and .htpasswd files to password protect the directory in which the tool has been installed on Apache web servers. This feature is documented in a tutorial [2]. ==== Affected versions ==== Every currently available version of mysqldumper listed on [1] has this hole: - MySQLDumper 1.23_pre_release_REV227 - MySQLDumper 1.22 - MySQLDumper 1.21b - MySQLDumper Typo3-Extension 0.0.5 ==== Description of the security issue ==== Inside of the generated .htaccess file the Apache directive LIMIT is used. The parameters used within the LIMIT directive are not sufficient so that the folder protection is not reliable. In the php file main.php in line 52 (line number depends on the version of the tool, please search for "limit get") the content of the file .htaccess is created. Interesting is this section: <Limit GET> The problem is, that this means that the password protection is only valid for HTTP GET requests, but not for other request types like HTTP POST requests. For further information on the directive LIMIT please have a look at the Apache documentation [3,4]. To say it more clearly: If one requests a file inside of the protected MySQLDumper folder, one is not asked for user and password if you use a POST request to request the file. That means the whole .htaccess/.htpasswd protection is useless. ==== Proof of concept ==== <html><body> <form action="http://localhost/mysqldumper1.23/main.php" method="post"> <input type="submit" value="main"> </form> </body></html> In the same way it is possible to execute the functionality of MySQLDumper to delete .htaccess and .htpasswd file via a POST request. ==== First aid for users of MySQLDumper ==== 1) Delete MySQLDumper folder from web space if it is installed in a guessable path or 2) Correct the content of .htaccess / .htpasswd files to make them reliable. ==== Related links ==== [0] http://www.mysqldumper.de [1] http://www.mysqldumper.de/board/downloads.php?cat=2 [2] http://www.mysqldumper.de/tuts/de/htaccess/msd_htaccess.html [3] http://httpd.apache.org/docs/1.3/mod/core.html#limit [4] http://httpd.apache.org/docs/2.0/mod/core.html#limit


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top