From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 4 Jul 2007 09:50:48 +0200
Subject: [UNIX] MySQLDumper Vulnerability: Bypassing Apache Based Access Control Possible
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070704072451.EAEF557C6@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MySQLDumper Vulnerability: Bypassing Apache Based Access Control Possible
------------------------------------------------------------------------
SUMMARY
The main purpose of <http://www.mysqldumper.de>; MySQLDumper is "to create
full backups of large MySQL databases from a web interface without the
need for a shell access. It also allows to administrate MySQL databases".
To ensure that only authenticated users have access to an instance of
MySQLDumper the tool offers a built-in feature to create a pair of
htaccess and .htpasswd files to password protect the directory in which
the tool has been installed on Apache web servers.
A critical security issue has been found in the Open Source PHP backup
tool MySQLDumper. The issue allows to bypass an Apache based access
control created with MySQLDumper. Through this an attacker can easily gain
full control about all features of MySQLDumper.
DETAILS
Vulnerable Systems:
* MySQLDumper version 1.23_pre_release_REV227
* MySQLDumper version 1.22
* MySQLDumper version 1.21b
* MySQLDumper Typo3-Extension version 0.0.5
Inside of the generated .htaccess file the Apache directive LIMIT is used.
The parameters used within the LIMIT directive are not sufficient so that
the folder protection is not reliable. In the php file main.php in line 52
(line number depends on the version of the tool, please search for "limit
get") the content of the file .htaccess is created. Interesting is this
section:
<Limit GET>
The problem is, that this means that the password protection is only valid
for HTTP GET requests, but not for other request types like HTTP POST
requests.
To say it more clearly: If one requests a file inside of the protected
MySQLDumper folder, one is not asked for user and password if you use a
POST request to request the file. That means the whole .htaccess/.htpasswd
protection is useless.
<html><body>
<form action="http://localhost/mysqldumper1.23/main.php"
method="post">
<input type="submit" value="main">
</form>
</body></html>
In the same way it is possible to execute the functionality of MySQLDumper
to delete .htaccess and .htpasswd file via a POST request.
Workaround:
1) Delete MySQLDumper folder from web space if it is installed in a
guessable path or
2) Correct the content of .htaccess / .htpasswd files to make them
reliable.
ADDITIONAL INFORMATION
The information has been provided by Henning Pingel and Lars Houmark.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
