site/blog/OVE-20191021-0001.markdown

167 lines
6.0 KiB
Markdown
Raw Permalink Normal View History

2019-10-21 19:30:02 +00:00
---
title: "OVE-20191021-0001"
2019-10-21 19:32:50 +00:00
date: "2019-10-22"
2019-10-21 19:30:02 +00:00
tags:
- security
- release
- javascript
- mysql
- oh-dear-god
---
# OVE-20191021-0001
## Within Security Advisory
Multiple vulnerabilities in the mysqljs API and code.
Security Warning Level: yikes/10
## Summary
There are multiple issues exploitable by local and remote actors in
[mysqljs][mysqljs]. These can cause application data leaks, database leaks, SQL
injections, arbitrary code execution, and credential leaks among other things.
Mysqljs is unversioned, so it is very difficult to impossible to tell how many
users are affected by this and what users can do in order to ensure they are
patched against these critical vulnerabilities.
## Background
Mysqljs is a library intended to facilitate prototyping web applications and
mobile applications using technologies such as [PhoneGap][phonegap] or
[Cordova][cordova]. These technologies allow developers to create a web
application that gets packaged and presented to users as if it was a native
application.
This library is intended to help with developers creating persistent storage for
these applications.
## Issues in Detail
There are at least seven vulnerabilities with this library, each of them will be
outlined below with a fairly vague level of detail.
### mysql.js is NOT versioned
The only version information I was able to find are the following:
- The `Last-Modified` date of Friday, March 11 2016
- The `ETag` of `80edc3e5a87bd11:0`
These header values correlate to a vulnerable version of the mysql.js file.
An entire copy of this file is embedded for purposes of explanation:
```
var MySql = {
_internalCallback : function() { console.log("Callback not set")},
Execute: function (Host, Username, Password, Database, Sql, Callback) {
MySql._internalCallback = Callback;
// to-do: change localhost: to mysqljs.com
var strSrc = "http://mysqljs.com/sql.aspx?";
strSrc += "Host=" + Host;
strSrc += "&Username=" + Username;
strSrc += "&Password=" + Password;
strSrc += "&Database=" + Database;
strSrc += "&sql=" + Sql;
strSrc += "&Callback=MySql._internalCallback";
var sqlScript = document.createElement('script');
sqlScript.setAttribute('src', strSrc);
document.head.appendChild(sqlScript);
}
}
```
### Fundamental Operation via Cross-Site Scripting
The code operates by creating a `<script>` element. The Javascript source of
this script is dynamically generated by the remote API server. This opens the
door for many kinds of Cross-Site Scripting attacks.
Especially because:
### Credentials Exposed over Plain HTTP
The script works by creating a `<script>` element pointed at a HTTP resource in
order to facilitate access to the MySQL Server. Line 6 shows that the API server
in question is being queried over UNENCRYPTED HTTP.
```
var strSrc = "http://mysqljs.com/sql.aspx?";
```
### Credentials and SQL Queries Are Not URL-Encoded Before Adding Them to a URL
Credentials and SQL queries are not URL-encoded before they are added to the
`strSrc` URL. This means that values may include other HTTP parameters that
could be evaluated, causing one of the two following:
### Potential for SQL Injection from Malformed User Input
It appears this API works by people submitting plain text SQL queries. It is
likely difficult to write these plain text queries in a way that avoids SQL
injection attacks.
### Potential for Arbitrary Code Execution
Combined with the previous issues, a SQL injection that inserts arbitrary
Javascript into the result will end up creating an arbitrary code execution bug.
This could let an attacker execute custom Javascript code on the page, which may
have even more disastrous consequences depending on the usage of this library.
### Server-Side Code has Unknown Logging Enabled
This means that user credentials and database results may be logged, stored and
leaked by the mysql.js API server without user knowledge. The server that is
running the API server may also do additional logging of database credentials
and results without user knowledge.
### Encourages Bad Practices
Mysql.js works by its API server dialing out an _UNENCRYPTED_ connection to your
MySQL server over the internet. This requires exposing your MySQL server to the
internet. This means that user credentials are vulnerable to anyone who has
packet capture abilities.
Mysql.js also encourages developers commit database credentials into their
application source code. Cursory searching of GitHub has found
[this][leakedcreds]. I can only imagine there are countless other potential
victims.
## Security Suggestions
- Do not, under any circumstances, allow connections to be made without the use
of TLS (HTTPS).
- Version the library.
- Offer the source code of the API server to allow users to inspect it and
ensure their credentials are not being stored by it.
- Detail how the IIS server powering this service is configured, proving that it
is not keeping unsanitized access logs.
- Ensure all logging methods sanitize or remove user credentials.
- URL-encode all values being sent as part of a URL.
- Do not have your service fundamentally operate as a Cross-Site Scripting
attack.
- Do not, under any circumstances, encourage developers to put database
credentials in the source code of front-end web applications.
In summary, we label this a solid yikes/10 in terms of security. It would be
advisable for current users of this library to re-evaluate the life decisions
that have lead them down this path.
## GReeTZ
Über thanks to [jadr2ddude][jaden] for helping with identifying the unfortunate
scope of these massive security issues.
Hyper thanks to [J][j] for coming up with a viable GitHub search for potentially
affected users.
[mysqljs]: http://www.mysqljs.com/
[phonegap]: https://phonegap.com/
[cordova]: https://cordova.apache.org/
[leakedcreds]: https://github.com/search?utf8=%E2%9C%93&q=%22https%3A%2F%2Fmysqljs.com%2Fmysql.js%22&type=Code
[jaden]: https://twitter.com/CompuJad
[j]: https://twitter.com/LombaxJay