English | Vietnamese
 

banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register   [Login] Loginhttp  | https  ]
 
Forum Index Thông tin new bugs và exploits MySQLDumper Vulnerability: Bypassing Apache Access Control  XML
  [Announcement]   MySQLDumper Vulnerability: Bypassing Apache Access Control 05/07/2007 18:28:45 (+0700) | #1 | 69058
[Avatar]
 conmale
Administrator
Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
[Profile] [PM]
MySQLDumper Vulnerability: Bypassing Apache Based Access Control Possible
------------------------------------------------------------------------

SUMMARY
The main purpose of <http://www.mysqldumper.de> MySQLDumper is "to create full backups of large MySQL databases from a web interface without the need for a shell access. It also allows to administrate MySQL databases".

To ensure that only authenticated users have access to an instance of MySQLDumper the tool offers a built-in feature to create a pair of htaccess and .htpasswd files to password protect the directory in which the tool has been installed on Apache web servers.

A critical security issue has been found in the Open Source PHP backup tool MySQLDumper. The issue allows to bypass an Apache based access control created with MySQLDumper. Through this an attacker can easily gain full control about all features of MySQLDumper.

DETAILS
Vulnerable Systems:
* MySQLDumper version 1.23_pre_release_REV227
* MySQLDumper version 1.22
* MySQLDumper version 1.21b
* MySQLDumper Typo3-Extension version 0.0.5

Inside of the generated .htaccess file the Apache directive LIMIT is used.
The parameters used within the LIMIT directive are not sufficient so that the folder protection is not reliable. In the php file main.php in line 52 (line number depends on the version of the tool, please search for "limit get") the content of the file .htaccess is created. Interesting is this section:

Code:
<Limit GET>


The problem is, that this means that the password protection is only valid for HTTP GET requests, but not for other request types like HTTP POST requests.

To say it more clearly: If one requests a file inside of the protected MySQLDumper folder, one is not asked for user and password if you use a POST request to request the file. That means the whole.htaccess/.htpasswd
protection is useless.

Code:
<html><body>
    <form action="http://localhost/mysqldumper1.23/main.php" 
method="post">
       <input type="submit" value="main">
    </form>
</body></html>


In the same way it is possible to execute the functionality of MySQLDumper to delete .htaccess and .htpasswd file via a POST request.

Workaround:
1) Delete MySQLDumper folder from web space if it is installed in a
guessable path or
2) Correct the content of .htaccess / .htpasswd files to make them
reliable.

ADDITIONAL INFORMATION
The information has been provided by Henning Pingel and Lars Houmark.
What bringing us together is stronger than what pulling us apart.
[Up] [Print Copy]
  [Question]   MySQLDumper Vulnerability: Bypassing Apache Access Control 05/08/2007 01:42:53 (+0700) | #2 | 76858
bmc_smile
Member
[Minus]    0    [Plus]
Joined: 03/08/2007 22:59:20
Messages: 5
Offline
[Profile] [PM]
2) Correct the content of .htaccess / .htpasswd files to make them
reliable.
trước giò em vẫn dùng cái nì cho nó, thanks bác đã cập nhật, tý em lên vá lỗi cho nó.
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|