exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mysqldumper-bypass.txt

mysqldumper-bypass.txt
Posted Jul 7, 2007
Authored by Henning Pingel, Lars Houmark

MySQLDumper suffers from a vulnerability access control set by Apache can be bypassed. MySQLDumper 1.23_pre_release_REV227, MySQLDumper 1.22, MySQLDumper 1.21b, and MySQLDumper Typo3-Extension 0.0.5 are affected.

tags | advisory, bypass
SHA-256 | e1fd27940c995a2c6095123f4bcba8081c0d55febd1d9cfa0a174b90a4b4cd62

mysqldumper-bypass.txt

Change Mirror Download
A critical security issue has been found in the Open Source PHP backup
tool MySQLDumper [0]. The issue allows to bypass an Apache based access
control created with MySQLDumper. Through this an attacker can easily gain
full control about all features of MySQLDumper.

The authors of MySQLDumper were informed about the problem on June 12,
2007 via email. In a reply we received on June 24, 2007, one author stated
that he does not agree that there is a security issue. Because we don't
have the impression that the authors are going to fix this issue and
inform the public about the hole, we decided to publish this issue.

The issue was found by Henning Pingel and Lars Houmark.

==== About MySQLDumper ====

The main purpose of MySQLDumper is to create full backups of large MySQL
databases from a web interface without the need for a shell access. It
also allows to administrate MySQL databases.

To ensure that only authenticated users have access to an instance of
MySQLDumper the tool offers a built-in feature to create a pair of
.htaccess and .htpasswd files to password protect the directory in which
the tool has been installed on Apache web servers. This feature is
documented in a tutorial [2].

==== Affected versions ====

Every currently available version of mysqldumper listed on [1] has this hole:

- MySQLDumper 1.23_pre_release_REV227
- MySQLDumper 1.22
- MySQLDumper 1.21b
- MySQLDumper Typo3-Extension 0.0.5

==== Description of the security issue ====

Inside of the generated .htaccess file the Apache directive LIMIT is used.
The parameters used within the LIMIT directive are not sufficient so that
the folder protection is not reliable. In the php file main.php in line 52
(line number depends on the version of the tool, please search for "limit
get") the content of the file .htaccess is created. Interesting is this
section:

<Limit GET>

The problem is, that this means that the password protection is only valid
for HTTP GET requests, but not for other request types like HTTP POST
requests. For further information on the directive LIMIT please have a
look at the Apache documentation [3,4].

To say it more clearly: If one requests a file inside of the protected
MySQLDumper folder, one is not asked for user and password if you use a
POST request to request the file. That means the whole .htaccess/.htpasswd
protection is useless.

==== Proof of concept ====

<html><body>
<form action="http://localhost/mysqldumper1.23/main.php" method="post">
<input type="submit" value="main">
</form>
</body></html>

In the same way it is possible to execute the functionality of MySQLDumper
to delete .htaccess and .htpasswd file via a POST request.

==== First aid for users of MySQLDumper ====

1) Delete MySQLDumper folder from web space if it is installed in a
guessable path or
2) Correct the content of .htaccess / .htpasswd files to make them reliable.

==== Related links ====

[0] http://www.mysqldumper.de
[1] http://www.mysqldumper.de/board/downloads.php?cat=2
[2] http://www.mysqldumper.de/tuts/de/htaccess/msd_htaccess.html
[3] http://httpd.apache.org/docs/1.3/mod/core.html#limit
[4] http://httpd.apache.org/docs/2.0/mod/core.html#limit
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close